The online chat app Viber sends video and images without encryption and stores it online afterward at a publicly available address, researchers have found.
Ibrahim Baggili and Jason Moore, researchers from the University of New Haven's Cyber Forensics Research & Education Group, demonstrated Viber's open transmission of the data Wednesday on a YouTube video. They found the data and links to its online location by intercepting traffic on a Windows 7 PC that was setup as a wireless access point for one of the mobile phones used in the test.
It's not trivial to get the data, but attackers can do so by setting up malicious wireless access points or who use man-in-the-middle attacks to intercept network traffic. In addition, Internet and mobile service providers and wireless access point operators have access to the data -- and anyone in intelligence services they share that data with, knowingly or not.
"The key here is to let the people know about these things so they can make an informed decision about using these applications until they are patched," Baggili, an assistant professor of computer science, told CNET on Thursday.
Baggili said they contacted Viber through its support email address, but didn't hear back. On Thursday, Viber told CNET the problem should be fixed soon.
"This issue has already been resolved," the company said in a statement. "It is currently in QA [quality assurance testing], and the fix will be released for Android and submitted to Apple on Monday. As of today we aren't aware of a single user who has been affected by this."
Baggili and Moore also found a related though narrower problem with WhatsApp, a Viber competitor that also offers a cheaper alternative to traditional text, picture, and video messaging. WhatsApp, which Facebook is acquiring for $19 billion, has 500 million monthly active users and is expanding into voice communications. The researchers found it was sending unencrypted map imagery, something that Viber also did.
The researchers also found that Viber stores the data publicly on its servers for at least a week.
"The data is stored on Viber's server in an unencrypted manner," one of the researchers said in the video. "There is also no authentication method used, so anybody who has access to these links can look at this data, retrieve this data, and do whatever they want with it."
Updated 5:48 a.m. PT with Viber comment saying it's fixing the issue.