Security researchers from UNH Cyber Forensics Research & Education Group they discovered enough vulnerabilities και κακές πρακτικές ασφάλειας σε μια δημοφιλής εφαρμογή μηνυμάτων, τη γνωστή Viber, threatening the privacy of 150 million active users of the service.
The Results of their research as published
Results Summary
- Images received are unencrypted
- Doodles received are unencrypted
- Videos received are unencrypted
- Lease images sent and received are unencrypted
- Data is stored on the Vιber Amazon Servers in an unencrypted format
- Data stored on the Vibr Amazon Servers is not deleted immediately
- Data stored on the Viber Amazon Servers can be easily accessed without any authentication mechanism (Simply visiting the intercepted link on a web browser gives us complete access to the data)
The researchers found that user data is stored on the company's Servers, which are essentially Amazon servers. Data includes images, videos, and messages stored in unencrypted form and without any authentication mechanism. So attackers simply visit the link and have full access to the data.
Σε ένα βίντεο επίδειξης, οι ερευνητές απέδειξαν ότι το πώς η εταιρεία δεν κρυπτογραφεί δεδομένα, ενώ τα μεταφέρει μεταξύ των server που χρησιμοποιεί, κάτι που επιτρέπει σε κάποιον εισβολέα να "πιάσει" την κυκλοφορία και να πραγματοποιήσει attacks man-in-the-middle.
Researchers have reported vulnerabilities in the application team before publishing their findings on their blog but have not received any response.
"Είναι σημαντικό να αφήσουμε τους ανθρώπους να γνωρίζουν τις αδυναμίες αυτές, ως εκ τούτου, επιλέξαμε να παρουσιάσουμε τα αποτελέσματα και το βίντεο της έρευνας σε αυτή τη δημοσίευση αναφέρουν στο blog their.
Watch the demo video