X

Viber sends video, images without encryption protection

Researchers demonstrate that a widely used mobile chat app not only sends some kinds of data in the open, it also stores it publicly online.

Stephen Shankland Former Principal Writer
Stephen Shankland worked at CNET from 1998 to 2024 and wrote about processors, digital photography, AI, quantum computing, computer science, materials science, supercomputers, drones, browsers, 3D printing, USB, and new computing technology in general. He has a soft spot in his heart for standards groups and I/O interfaces. His first big scoop was about radioactive cat poop.
Expertise Processors, semiconductors, web browsers, quantum computing, supercomputers, AI, 3D printing, drones, computer science, physics, programming, materials science, USB, UWB, Android, digital photography, science. Credentials
  • Shankland covered the tech industry for more than 25 years and was a science writer for five years before that. He has deep expertise in microprocessors, digital photography, computer hardware and software, internet standards, web technology, and more.
Stephen Shankland
2 min read

A University of New Haven demonstration shows that Viber sends doodles, images, and map imagery unencrypted.
A University of New Haven demonstration shows that Viber sends doodles, images, and map imagery unencrypted. screenshot by Stephen Shankland/CNET

The online chat app Viber sends video and images without encryption and stores it online afterward at a publicly available address, researchers have found.

Ibrahim Baggili and Jason Moore, researchers from the University of New Haven's Cyber Forensics Research & Education Group, demonstrated Viber's open transmission of the data Wednesday on a YouTube video. They found the data and links to its online location by intercepting traffic on a Windows 7 PC that was setup as a wireless access point for one of the mobile phones used in the test.

It's not trivial to get the data, but attackers can do so by setting up malicious wireless access points or who use man-in-the-middle attacks to intercept network traffic. In addition, Internet and mobile service providers and wireless access point operators have access to the data -- and anyone in intelligence services they share that data with, knowingly or not.

Viber logo
Viber

"The key here is to let the people know about these things so they can make an informed decision about using these applications until they are patched," Baggili, an assistant professor of computer science, told CNET on Thursday.

Baggili said they contacted Viber through its support email address, but didn't hear back. On Thursday, Viber told CNET the problem should be fixed soon.

"This issue has already been resolved," the company said in a statement. "It is currently in QA [quality assurance testing], and the fix will be released for Android and submitted to Apple on Monday. As of today we aren't aware of a single user who has been affected by this."

Baggili and Moore also found a related though narrower problem with WhatsApp, a Viber competitor that also offers a cheaper alternative to traditional text, picture, and video messaging. WhatsApp, which Facebook is acquiring for $19 billion, has 500 million monthly active users and is expanding into voice communications. The researchers found it was sending unencrypted map imagery, something that Viber also did.

The researchers also found that Viber stores the data publicly on its servers for at least a week.

"The data is stored on Viber's server in an unencrypted manner," one of the researchers said in the video. "There is also no authentication method used, so anybody who has access to these links can look at this data, retrieve this data, and do whatever they want with it."

Updated 5:48 a.m. PT with Viber comment saying it's fixing the issue.

Viber Media CEO Talmon Marco
Viber Media CEO Talmon Marco speaks at Mobile World Congress 2014. Stephen Shankland/CNET