Viber – the popular VOIP messaging app beloved by iPhone and Android users -hasn’t acknowledged the problem yet, but it has a major security problem going on right under its nose.
The notorious Syrian Electronic Army has claimed credit for an attack against the free phonecall and texting app’s website, which has resulted in Viber’s Support and Knowledgebase website being commandeered by the hacking group, and private data about users published on the web.
The news of the Viber hack comes only days after the same cybercriminals managed to steal details of millions of Tango users, another mobile messaging app.
Viber’s support website at http://support.viber.com/ currently looks like this:
Clearly it can no longer be considered under the control of Viber itself.
Part of the message on the defaced website reads:
Hacked by Syrian Electronic Army
Dear All Viber Users,
The Israeli-based “Viber” is spying and tracking you
We weren’t able to hack all Viber systems, but most of it is designed for spying and tracking
Screenshot of a hacked system:
Embedded within the defaced webpage is a link to a screencapture of what appears to be an internal database by Viber employees showing users’ phone numbers, device UDID, country, IP address, operating system and version, first registration to Viber, and what version of Viber they are using.
I’ve blurred out the information in the above screenshot, but the hackers made no such attempts to protect users’ privacy.
In the example posted by the Syrian Electronic Army, the phone numbers all have the internationally dialling code of 963 – the code for Syria.
In addition, at the bottom of the defaced webpage, the hackers published the names, phone numbers and email addresses of Viber administrators.
This is obviously highly damaging to Viber.
My guess is that the Syrian Electronic Army was able to trick a member of Viber’s staff into handing over their username and password (possibly via a phishing attack), and the hackers were then able to use this information to crowbar their way into Viber’s internal systems, with damaging results.
The Syrian Electronic Army is very happy to put the boot in it seems, tweeting out:
Warning: If you have “Viber” app installed we advise you to delete it
Earlier this year, Viber announced that it had over 200 million mobile users.
There is currently no mention of the security issue on Viber’s Twitter or main website.
A Viber spokesperson got in touch with me, and gave me the following statement:
“Today the Viber Support site was defaced after a Viber employee unfortunately fell victim to an email phishing attack. The phishing attack allowed access to two minor systems: a customer support panel and a support administration system. Information from one of these systems was posted on the defaced page.
It is very important to emphasize that no sensitive user data was exposed and that Viber’s databases were not “hacked”. Sensitive, private user information is kept in a secure system that cannot be accessed through this type of attack and is not part of our support system.
We take this incident very seriously and we are working right now to return the support site to full service for our users. Additionally, we want to assure all of our users that we are reviewing all of our policies to make sure that no such incident is repeated in the future.”
In addition, I was told that the UDID displayed on the screenshot is not the device UDID, but instead an internal Viber ID number.
Viber is understandably trying to calm users about the security breach. But the fact remains, that the Syrian Electronic Army succeeded in getting unauthorised access to data held in Viber’s support systems, and were able to access (at least some) users’ phone numbers and users’ IP addresses.