“Anyone, including the service providers will be able to collect this information,” the group warned Tuesday, “Anyone that sets up a rogue AP, or any man-in-the-middle attacks such as ARP poisoning will be able to capture this unencrypted traffic and view the images and videos received as well as the locations being sent or received by a phone.” Researchers actually found that by simply visiting the intercepted link in a web browser they could secure complete access to the data. Since the information is unencrypted, it could easily be gleaned via a rogue access point or a man-in-the-middle attack. Messages on the app meanwhile appear to be safely encrypted. The vulnerability essentially means that whenever a user sends another user an image, video, location image or doodle – drawings specific to Viber – they could be sniffed or snooped by an attacker who can intercept the traffic. Viber acknowledged this week that they are in the middle of committing fixes for the vulnerability in both its Android and Apple apps. Researchers from the University of New Haven’s Cyber Forensics Research and Education Group (UNHcFREG) publicized the vulnerability this week after reportedly failing to hear back from the company when notified.
The problem is that information transferred by Viber is stored in an unencrypted format on its servers and doesn’t require an authentication mechanism to be retrieved from a client. UPDATE – Viber, a messaging and VoIP application similar to WhatsApp, is in the middle of patching a vulnerability that could allow an attacker to view sensitive information shared between users like images, videos and location information.
0 kommentar(er)
