“It is currently in QA and the fix will be released for Android and submitted to Apple today,” she said, adding that as far as the company knows it isn’t aware of any individuals being affected.
In an e-mail Monday morning Frieda Aaronson, Viber’s Public Relations and Social Manager, confirmed that the issue has been resolved. Several days after they first conducted their test the researchers went to several links they used in their test and found the same images and doodles, under the same URLs, were still being kept on Viber’s server, accessible without authentication.įor now the researchers claim the vulnerability only affects the most recent version of the app for Android, 4.3.0.712, released in March, and two phones: Samsung’s Galaxy S4 running Android 4.3 and the HTC One running Android 4.4.2. “Anyone, including the service providers will be able to collect this information,” the group warned Tuesday, “Anyone that sets up a rogue AP, or any man-in-the-middle attacks such as ARP poisoning will be able to capture this unencrypted traffic and view the images and videos received as well as the locations being sent or received by a phone.” Researchers actually found that by simply visiting the intercepted link in a web browser they could secure complete access to the data.
Since the information is unencrypted, it could easily be gleaned via a rogue access point or a man-in-the-middle attack. Messages on the app meanwhile appear to be safely encrypted. The vulnerability essentially means that whenever a user sends another user an image, video, location image or doodle – drawings specific to Viber – they could be sniffed or snooped by an attacker who can intercept the traffic. Viber acknowledged this week that they are in the middle of committing fixes for the vulnerability in both its Android and Apple apps. Researchers from the University of New Haven’s Cyber Forensics Research and Education Group (UNHcFREG) publicized the vulnerability this week after reportedly failing to hear back from the company when notified. The problem is that information transferred by Viber is stored in an unencrypted format on its servers and doesn’t require an authentication mechanism to be retrieved from a client. UPDATE – Viber, a messaging and VoIP application similar to WhatsApp, is in the middle of patching a vulnerability that could allow an attacker to view sensitive information shared between users like images, videos and location information.
0 kommentar(er)
