There is a rather surprising revelation this week from University of New Haven cyber researchers about the lack of encryption for the video and image files of Viber users that are stored in Amazon. The oversight largely exposes more than 300 million users to malicious hackers who might attempt to steal sensitive data, not least the location information of users.
For the benefit of those who have not come across with Viber before, the app practically works like WhatsApp. It is a messaging and VoIP tool that stores data on Amazon cloud servers to reduce cost on hardware and maintenance.
Cloud adoption has been of great help to businesses online for the cost-savings it has afforded. The problem with Viber’s servers is that videos, photos and location data are stored in the servers without encryption and authentication process to secure the content from unauthorized access. It poses a quite heavy blow to Amazon’s efforts to bolster its security infrastructure with encryption amid the growing threat landscape.
The researchers are the same group that exposed a similar vulnerability infecting WhatsApp in early April, in which a bug on the app allowed man-in-the middle attack to location images that were being stored in an unencrypted format.
Thankfully, the Viber bug did not affect messages that are sent through the app. But photos, video clips, location images and doodles are now open for the hacking as attackers are able to intercept the flow of data between the users and Viber servers.
Moreover, it is revealed that data stored on Amazon servers are also not easily removable and anyone trying to view them are practically free to do so by setting up a rogue access point to intercept the insecure traffic and steal the data being transmitted from a smartphone.
Man-in-the-middle attacks are not new, however. Hackers use this method to redirect Internet traffic and even alter the data before it reaches the intended recipient. There has been a rise in MITM attacks against financial institutions in recent years and the threat continue to grow.
In the case of the Viber vulnerability, attackers only need to visit the intercepted link in order to gain complete access to information of Viber users. And images and videos do not get deleted immediately. The researchers found that the contents remain on the compromised links for several days and can be access even without administrative rights.
Viber appears to be lagging behind in a technology trend showing a rapid rise in encryption adoption. Well, it must keep up with the rest if only to keep users from being worried by the vulnerabilities lurking around.