Straight to the point: Viber, due to poor security management across devices, will allow an attacker to easily steal all of your contacts and to monitor all of your conversations.
Here is how:
Couple a weeks ago I started using Viber for desktop. In order to sign in all you need to do is to enter your phone number on desktop app:
When you enter your phone number on Viber for desktop a Viber application on your smartphone generates a security code that you need to enter in order to sign in:
This is all the verification required in order to start using Viber for desktop. From this moment all of your contacts are stored on your desktop app and all of the new conversations are automaticaly being synced with your mobile phone. So everything that happens on your mobile phone can be later viewed on desktop app. Nice and easy, but….
Here is the „vulnerability“: Push notification with security code is being displayed on locked screen. Your notification settings are not working for security push notification.
Here are my Viber notification settings:
All notifications disabled, however, the security notification vibrates the phone, turns the light on and shows the security code making a huge impact to your privacy and security.
Attack scenarios
There are multiple attack scenarios in order to exploit this poor security management. All the attacker needs to know is your mobile number (not so hard to find out these days). The other requirement for an attacker is to have a one second view on your mobile phone screen. Also not so hard with nowadays 5 or 6 inches screens.
So lets say you leave your mobile phone on your desk at work when you are using the toilet. Bad and wicked employee can start to monitor all of your conversations. This is just a light one.
Advanced attacker with SE techniques, shoulder surfing, hidden cameras etc. could almost certainly trick anyone.
I guess that „Viber out“ just got a brand new meaning.
Tested platforms: Viber for Linux, Viber for Windows and latest Viber for Android 5.5.2.28.