Viber is a security threat ?
Post date: Jun 13, 2013 10:42:37 AM
Viber, a mobile messenger app that allows users to make phone calls and send text messages and images for free, also gives up plenty of free user data to anyone who wants to listen.
According to researchers from the University of New Haven (UNH) in Connecticut, US, Viber's app sends user messages in unencrypted form - including photos, videos, doodles, and location images.
All of that rich data from users is also stored unencrypted on Viber's servers, rather than being deleted immediately, and is accessible without credentials, just a link, theUNH researchers said.
It's the second cryptographic blunder exposed by UNH researchers in as many weeks - the UNH Cyber Forensics Research & Education Group disclosed on 13 April 2014 that the WhatsApp messenger app also gives away user location data in unencrypted form.
Using a Windows PC as a Wi-Fi access point, the UNH team was able to capture data sent by an Android smartphone with regular traffic sniffing tools, the same approach taken by UNH in their experiments with WhatsApp.
In a video posted on the UNH website and YouTube, the researchers demonstrated capturing messages sent between two test Android phones.
Data can be intercepted by poisoned access points, by malicious users on the same Wi-Fi network, or elsewhere in the network between you and Viber.
In the video, one of the researchers said the unencrypted messages can also be retrieved from Viber's servers by anyone who knows the message URL:
The data is stored on Viber's server in an unencrypted manner. There is also no authentication method used, so anybody who has access to these links can look at this data, retrieve this data, and do whatever they want with it.
The researchers, Dr Ibrahim Baggili and Jason Moore, said in a blog post that they reported the security flaw directly to Viber before publishing their results but did "not receive a response from them."
In a statement to CNET, Viber said it would be releasing a fix soon for Android and iOS, and said the issue has been "resolved."
This issue has already been resolved. It is currently in QA and the fix will be released for Android and submitted to Apple on Monday. As of today we aren't aware of a single user who has been affected by this.
The fact is that an modern online messaging app shouldn't really be "fixing" this sort of blunder - encryption should have been baked in from the start.
And for all that Viber may have "fixed" its apps to exchange data securely now, it hasn't said anything about addressing the insecurities that UNH found in Viber's cloud, where your messages are stored.
The company also lists only Android and iOS as getting updates, leaving users of its numerous other supported platforms in the dark.
That includes users of Viber on the desktop, via Samsung's Bada ecosystem, on Microsoft's various mobile operating systems, and on Blackberry and Nokia phones.
With all of this in mind, Viber's claim that "we aren't aware of a single user who has been affected by this" rings very hollow.
After all, the company didn't bother to apologize for not spotting these problems in its own QA – and putting its customers at needless risk.
Leaky mobile apps and data privacy
As is becoming all too common with the new breed of mobile messenger apps - including theFacebook-owned WhatsApp and the photo and video-sharing app Snapchat - security and privacy of user data seems to be an afterthought.
Although both WhatsApp and Viber said they will work to fix their encryption oversights, at times these young companies have exhibited a cavalier and disdainful attitude towards data privacy and security.
Viber, founded in 2010, has had a couple other security incidents in the past year.
In July 2013, a security researcher managed to use pop-up notifications from the Viber app to bypass the lock screen on an Android device.
And in April 2013, Viber's support page was hacked by the Syrian Electronic Army, although no user data was lost in the attack.
WhatsApp's founder Jan Koum famously said that "respect for your privacy is coded in our DNA," after his company was bought out by Facebook for $19 billion in March.
That's a nice sentiment, but WhatsApp has made repeated cryptographic blunders that left user data vulnerable.
Another rapidly growing messenger app, Snapchat, ignored warnings from security researchers that the app allowed unlimited searches of user phone numbers - a flaw that led to an attacker dumping 4.6 million usernames and phone numbers online after Snapchat dismissed the attack as "theoretical."
When asked to appear voluntarily before a Congressional hearing on data breaches, Snapchat refused to testify, leading one US Senator to say the company was "hiding something."
Which is ironic, since hiding user data from prying eyes doesn't appear to be one of the company's strengths.
Despite promises it made to users that their private messages would "disappear forever," Snapchat has acknowledged that user Snaps aren't deleted right away from their servers or from users' phones.
These popular messenger apps may be free, but at a cost to privacy for their hundreds of millions of users.
Consider these before downloading and installing Viber, think about your privacy and safety
1. From an ex-Israeli Defense Forces person Talmon Marco
“Talmon served for four years in the Israel Defense Forces and held the position of CIO of the central command. He graduated Cum Laude from the Tel-Aviv University with a degree in Computer Science and Management.”
Before Viber Talmon also created and spread free applications that could potentially monitor users communication and their activities
1. iMesh: A file sharing application that was found installing spyware on the users’ computershttp://filesharingz.com/reviews/imesh-review.php
2. Bandoo: A facbook plugin, blamed for sucpicious activities on users’ computershttp://www.mywot.com/en/scorecard/bandoo.com
2. So what does it read from your phone and what actions can it perform? you will be stunned if you do not know yet
- Read SMS, Receive SMS, any message even non-Viber messages, from your sim card
- Read sensitive log data – This allows it to discover general information about what you are doing with the tablet, potentially including personal or private information
- Read your contacts and move them to their server
- Your location
- Record Audio, take pictures and videos
- Automatically start when your phone is switched on “eyes always watching you”
- and a lot more, visit the reference below
Reference Google Play Store : https://play.google.com/store/apps/details?id=com.viber.voip
3. No revenue model,
- more than 1 and 1/2 years and they are paying, from unknown financial resources, for the infrastructure and staff that support more than 70 million registered users
- No Ads or any other means of sales/revenue
4. Not open for you and me,
- No advertised job ever could be found on internet or on their website, how do they hire their staff? how can I or you apply?
5. No detailed physical address but only a P.O.Box address of their agent in Cyprus ( a place knwon for Israeli spy operations).
- Viber, for some odd reason, was incorporated in Cyprus, a location favored by offshore gambling operations
- You cannot find where their offices are located, you will only find an address of theiry agent (a P.O.Box) address in Cyprus.
- Cyprus is well known as an external base for Israeli spy agents
- Why are they hiding where do they work and where are their offices?
Ref : http://www.viber.com/dmca.html (see the contact details at the bottom of the page)
6. If a secret service, like Mossad, had to setup a service that could watch everyone talking and chatting than what could be the easiest way then a free VOIP application?
“Your Apps are watching you”http://online.wsj.com/article/SB10001424052748704694004576020083703574602.html
Must read: “Privacy 101 or Why You Should Not Use iPhone App Viber”http://blog.agmon.com/2010/12/04/why-i-will-not-install-viber/
Israeli Viber is a spying mobile application
People might think that Israeli Viber was made to allow people to make free calls but , in fact this voice-over-IP phone application is more dangerous than that .
Why we think Israeli Viber is dangerous !?
- Viber was founded by Israelis, more over the same people who found IMesh , according to agmon.com, IMesh which started as a music sharing application , ended up by installing spywares on the computers of the users who install it .
- Privacy , according to their privacy statement “A copy of your address book will be stored on our servers and will be used to…” more over the calls that you make on Viber are being logged and recorded on those server , and yes they may share your personal data with 3rd parties they “trust”!.
- Viber are trying to hide their identity , but a Google Search will help you make sure of all the information mentioned in this article .
- Do you know who founded Israeli VIBER !???
Well his name is Talmon Marco ! Talmon served for four years in the Israel Defense Forces and held the position of CIO of the central command. He graduated Cum Laude from the Tel-Aviv University with a degree in Computer Science and Management.
So, will you give away all your contact lists and call logs to guys who made money from spyware distribution?
This article is not meant to be against any nationality , the big issue is that Viber Team are continuously doing their best to hide their identity , but why ?
To note that , this application by default will have access to your messaging inbox , gps location, your phone and all of the data saved on the mobile .
Sum up : Viber is an Israeli spying application, which clearly has 2 goals , the first is to gather data and sell it , and the second is to send this data to the Israeli government so they use this information against you .
the privacy statement have been updated , they only share your information to
(a) comply with the law, or legal process served on us;
(b) protect and defend our rights or property (including the enforcement of our agreements); or
(c) act in urgent circumstances to protect the personal safety of users of our services or members of the public.
But still we are asking , which law? and how can user’s data defend your right or property ?
And there’s no word from them on Why they are hiding their origin yet .