After the security scandals that rocked Snapchat, and later WhatsApp, it is now Viber’s turn to get the hot seat. The instant messaging service was discovered to be transmitting images and videos posted by users and storing them on their servers with little security, allowing those with knowledge to get access to those pieces of data with no need for authentication.
This revelation came from security researchers at the University of New Haven. Their setup involved using Windows 7 as a virtual wifi miniport to which mobile devices connect to. This allowed them to monitor and capture Internet traffic going to and from Viber’s servers. The findings are quick shocking. It’s bad enough that videos and images are transmitted over the Internet without encryption, a security feature that, in this day and age of senseless snooping and privacy invasions, should be a must, especially in popular Internet services. But the data itself is stored on Viber’s Amazon servers also unencrypted and requiring no authentication to access. Meaning, anyone who knows how can take a peek at those sometimes personal and private media. The video below demonstrates the process in detail.
To be fair, it is not exactly a piece of cake to accomplish this, but hackers with enough skill and tools, like those using WiFI access point snooping or man-in-the-middle attacks, will be able to use this to their advantage. And there’s also the fact that those with such knowledge, tools, and skills might even be coming from our own governments. Regardless of how easy or hard it is to exploit, these are flaws that fly in the face of the most basic security best practices.
The bad news is that there is really no way to fix this from the user’s end, except for refusing to use Viber until a fix has been made. The good news is that Viber has been informed of the security hole and has worked on a fix that will be rolling out to the Android app soon.