Viber sends video, images without encryption protection
A University of New Haven demonstration shows that Viber sends doodles, images, and map imagery unencrypted. screenshot by Stephen Shankland/CNET The Viber online chat app sends video and images without encryption and stores it online afterward at a publicly available address, researchers have found.
Ibrahim Baggili and Jason Moore, researchers from the University of New Haven's Cyber Forensics Research & Education Group, demonstrated Viber's open transmission of the data Wednesday. They found the data and links to its online location by intercepting traffic on a Windows 7 PC that was set up as a wireless access point for one of the mobile phones used in the test.
It's not trivial to get the data, but attackers can do so by setting up malicious wireless access points or who use man-in-the-middle attacks to intercept network traffic. In addition, Internet and mobile service providers and wireless access point operators have access to the data -- and anyone in intelligence services they share that data with, knowingly or not.
Viber logo Viber
"The key here is to let the people know about these things so they can make an informed decision about using these applications until they are patched," Baggili, an assistant professor of computer science, told CNET on Thursday.
CNET contacted Viber for comment and will update this story with its response. Baggili said they contacted Viber's through its support e-mail but didn't hear back.
Baggili and Moore also found a related though narrower problem with WhatsApp service, a Viber competitor that also offers a cheaper alternative to traditional text, picture, and video messaging. WhatsApp, which Facebook is acquiring for $19 billion, has 500 million monthly active users and is expanding into voice communications. The researchers found it was sending unencrypted map imagery, something that Viber also did.
The researchers also found that Viber stores the data publicly on its servers for at least a week.
"The data is stored on Viber's server in an unencrypted manner," one of the researchers said in the video. "There is also no authentication method used, so anybody who has access to these links can look at this data, retrieve this data, and do whatever they want with it."
Source : CNET
Viber sends video, images without encryption protection