According to researchers from the University of New Haven's Cyber Forensics Research and Education Group, the online chat app Viber does not use encryption for videos and images sent through the app and then stores them at a publically available address for at least one week.
On Wednesday, Ibrahim Baggili and Jason Moore, researchers from the University of New Haven, demonstrated the app's data transmission in a YouTube video. The researchers found the data and links to its online location by intercepting traffic on a Windows 7 PC that was used as a wireless access point for one of the smartphones they used in their test. Gaining access to the data is not a simple task, but those with the necessary technical knowledge to do so would be met with a trove of unencrypted data. Attackers could set up malicious wireless access points or use man-in-the-middle attacks to intercept network traffic. Internet and mobile service providers as well as wireless access point operators also have access to this data. Providers and operators, knowingly or not, also share this information with intelligence services such as the NSA.
"The key here is to let the people know about these things so they can make an informed decision about using these applications until they are patched," explained Baggili, an assistant professor of computer science at the University of New Haven. Baggili and Moore said they contacted Viber about this issue but did not receive a response. On Thursday, Viber responded to questioning from CNET saying the problem would be fixed soon. "This issue has already been resolved," said Viber in its statement. "It is currently in QA [quality assurance testing], and the fix will be released for Android and submitted to Apple on Monday. As of today we aren't aware of a single user who has been affected by this."
Photo credit: screengrab