in Security Releases

Viber lacks image encryption (now fixed)

On 7 April, I reported what appeared to be a successful man-in-the-middle attack on a conversation I was having on the messaging app Viber.  A Telecom wifi hotspot removed the image I was attempting to send to a friend, and replaced it with a protection message – all without Viber detecting this had happened.

Following this, I investigated with Viber and found that images and calls are not encrypted end-to-end, allowing eavesdropping and this successful attack.  The attack, and resulting fixes from Viber are detailed in full at: http://www.cnet.com/au/news/viber-begins-fixing-image-encryption-vulnerability/

Below: Compare the

Image view from senderIntercepted image view from recipient