Viber attack may have been more broad than initially thought [updated]

By , Jul 28, 2013

viber logo

Internet companies beware, hackers are out in full force this month. In the past two weeks, we’ve seen Apple’s Dev Center hacked, several Instagram accounts hacked, and the popular voice and messaging service Viber attacked.

Viber claims, though, that the damage it suffered from its breach was minimal, saying the attacker only gained access to two minor support systems. But a quick glance at its App Store description suggests that wasn’t the case…

Earlier this evening, 9to5Mac pointed to the App Store description of Viber’s popular iOS app, which had clearly been defaced. The attackers replaced the text with “We created this app to spy on you, PLEASE DOWNLOAD IT!”

The site was able to grab a screenshot before the description was restored:

viber app hack

From a distance, it looks like this could be related to Apple’s Dev Center attack, but it’s not likely. 9to5Mac’s Mark Gurman suggests the hackers could have gained access to Viber’s iTunes Connect account using a phishing scam.

From the company’s initial statement on the hack:

“Today the Viber Support site was defaced after a Viber employee unfortunately fell victim to an email phishing attack. The phishing attack allowed access to two minor systems: a customer support panel and a support administration system. Information from one of these systems was posted on the defaced page.

It is very important to emphasize that no sensitive user data was exposed and that Viber’s databases were not “hacked”. Sensitive, private user information is kept in a secure system that cannot be accessed through this type of attack and is not part of our support system.

But my problem here is that Viber hasn’t been very transparent about the attack. Sure, they claim that there was no sensitive user data exposed. But they also said the hack was limited to two minor systems, which it obviously wasn’t.

As a long-time user, I think the company has some more explaining to do.

Viber was initially hacked on Tuesday, July 23rd, by the Syrian Electronic Army. The group claims the Israeli-based firm, which hosts 200 million users worldwide, is “spying and tracking” its users, and says folks should stay away.

Update: a Viber spokesman has reached out to iDB and provided the following statement:

A few days ago a “hacker” was able to gain access to a couple of Viber.com email accounts via a phishing attack. This has since been fixed.

Data they recovered allowed them to deface our support site and also gain access to our iTunes Connect account (App Store) at a level that allowed them to change the description text of our app – which they did a few days ago around the same time as the original defacement. We noticed this within minutes, fixed the metadata and removed this user (in fact, all users but one) from our iTunes Connect account.

Unfortunately, on Saturday this happened again. Upon further investigation we realized this is a security issue in iTunes Connect. It seems that when you remove a user, if the user is logged in, then the user stays logged in. We hope Apple fixes this issue soon, as currently we have no way to permanently disconnect this user from our iTunes Connect. We have reached out to Apple regarding this issue and are waiting on their response.

At this point, we want to reassure users, that this has no impact on the security of the Viber App, Viber System, our databases, user information, etc. It’s merely an unfortunate nuisance.

  • Share:
  • Follow:
  • http://hashuumi.tumblr.com/ Hisham

    I should go learn “Ethical Hacking” just in case …

  • Kurt

    Tango, was hacked last Monday also

  • eXvoLution

    loving these mouse and cat tails :)

  • Om

    The Viber spokesman didn’t deny the fact that Viber tracks and spies on its users.

    • Kurt

      Good point! I asked in the other article how they make money since they don’t charge for the app, no ads in the app and no ads on the site. The representative said they will have some premium features in the future. NEVER mentioned how they make money now. People don’t work for free. And those servers they use must be expensive. That and all their employees.

      • EpicFacepalm

        It’s far from a conspiracy, you can analyze the app, it uses various tracking libraries. The contacts are sold to ad companies as well, great way to sell contacts I guess

      • NEWYORKMINUTE10

        Most people from many countries use Viber because it allows free calling and texting. And therefore NSA have full access to spy on the world. That’s why I will stick with my carrier even if I don’t have anything to hide. And glad I’m not living in the US

      • BoardDWorld

        Stick to your carrier? you mean to limit yourself to just a single avenue that passes on personal information?

      • NEWYORKMINUTE10

        nah, my operator doesn’t have backdoor for NSA

      • Kurt

        Do you use iCloud, or Dropbox? If so then those files are lovingly given to the NSA. Or any Google service, yahoo, Microsoft etc. The data mining is all stored in huge data centers in Utah. They are 4 times as large as the Pentagon. They are very serious about having all our information. The 4th amendment is nearly dead.

      • Kurt

        Thanks for the reply. How can I analyze app as you did? So would you agree with the SEA about the tracking and spying on us?

      • EpicFacepalm

        Well, I have no evidence that the data is stored on NSA but I remember that they use tracking libraries and send these informations to their servers. They are most likely to be selled to the ad companies but the reply below says we do not sell information so we can start conspiracies because we don’t know how they finance all these server costs.

        To analyze you can use Flex, Class Dumper and/or if you know reverse engineering IDA from Hex-Rays. It was very obvious in the class names at least that is what it used to be.

    • n0ahcruz3

      So true! Whats up with that viber?!

      • http://www.viber.com/ Viber

        @Om and @m0ahcruz3 -

        We do not spy on our users.
        Please see our full response above, concerning the info we collect from our users.

        We’d like to emphasize again – the info we collect is used solely for functional purposes. We do not abuse or sell this information in any way.

      • NEWYORKMINUTE10

        How do you get money then? Server,personal,developers,office,internet costs

      • http://www.viber.com/ Viber

        Currently, Viber’s focus is on adding new features and integrating with more platforms, as well as improving overall system performance. At the same time, we are working on additional premium services that will generate revenue once they become available. The basic Viber service – Viber-to-Viber phone calls and text messages – will always remain free, and we will not add advertisements onto Viber.

  • Jacob S

    After multiple attempts to switch to Android with Galaxy Siii and S4, finally I managed to like Android with HTC One. I guess there is no turning back to iOS in the near future though rest of my family is still with iOS. Also I am a registered developer with Apple and I could not believe how vulnerable their system was. I believe the latest statement from Viber about iTunes connect account vulnerability. Hope Apple will fix it soon. I am a regular user of Viber and hope my information was not compromised.

    • EpicFacepalm

      The problem is, if you use Viber your information is already compromised legally. But yeah, I get your point.

      • Jacob S

        “if you use Viber your information is already compromised legally” – I like that, but sadly it is true with every other thing, not just with Viber :)

      • http://www.viber.com/ Viber

        We’d like to add the following clarification:

        First, it is important to be accurate – we collect only names and phone numbers, nothing else. Naturally, we collect users’ information not for commercial purposes, but only for functional reasons, and in order for us to enable the service that we, as a company, promise to provide. Without that information, Viber cannot function. This is not different from any other major social network/communication service provider in our world nowadays.

        We would like to clarify: we *do not* and will never sell users’ information to third-parties, and we keep this information well locked in our servers, with extremely limited access to it. This information (in great detail) is explained in our very clear and transparent Privacy Policy – to which we are committed by law – that can be found in our official homepage. Have you taken a close look at it?

        If after reading it carefully there are still doubts or questions, then we will be more than happy to assist address them :)

      • NEWYORKMINUTE10

        I like Viber but don’t use it and never will because, better safe and costly than free and unsafe in some US company that is regulated by the government. Microsoft said the same before documents were revealed saying the opposite. I’m not saying that Viber has backdoor or not, but I’m sure that even if it had the information would be confidential and not allowed to all staff at Viber.

  • Zaidan Umar

    What if the NSA pays vibes to let them spy on the people. Maybe that’s how viber makes its money!

    • NEWYORKMINUTE10

      Even if they don’t pay, if NSA says they want access, Viber will give/gave it to them

      • david j

        I loaded Viber tonight. I thought not built in the USA was OK.. Then i used Google and started to research. I am already convinced the NSA has financed this whole operation.

        1) The owner lived in NY, USA.. See his linkedin page
        2) Viber owners have links to Israel .. ha they spy for the Americans..
        3) Viber has no income…where did the money come from ??? NSA

        So now the NSA can spy on Americans assuming Viber is foreign.. and the NSA can spy on the rest of the world. They now have 200 million phone numbers and names. x multiple phone address books..Billions of contacts..I am starting to get scared. The NSA and American spying is endless..We should ALL be outraged..

      • http://www.viber.com/ Viber

        Hi there,
        I’m an official representative of Viber.

        We have replied to all of the “espionage” claims all through this blog, so you may find our detailed answer there :)

        Regarding your question about our income:

        Currently, Viber’s focus is on adding new features and integrating with more platforms, as well as improving overall system performance. At the same time, we are working on additional premium services that will generate revenue once they become available (very soon). The basic Viber service – Viber-to-Viber phone calls and text messages – will always remain free.

  • http://www.viber.com/ Viber

    Hi,

    I’m an official representative from Viber.

    As mentioned in the article, a security issue in iTunes Connect allowed the same “hackers” who defaced our Support Site to change the description of
    our AppStore page (and that’s all). We have contacted Apple regarding this
    issue and are awaiting their response. Meanwhile, our AppStore page is back to normal.

    We want to reassure our users: this has no impact on the security of the Viber
    App, Viber System, our databases, user information, etc. It’s merely an
    unfortunate nuisance.

    If anyone has any more questions/doubts, please don’t hesitate to contact us :)

    Thanks,
    the Viber Team.

    • NEWYORKMINUTE10

      May I ask, iDownloadBlog isn’t so big so why are some big company(user base) doing reading and answering peoples comments on here?

      • http://www.viber.com/ Viber

        We have company representatives in many blogs/forums across the world, providing direct assistance to our users. We don’t only address user concerns regarding this specific story, but also about more “mundane” feedback, such as bug reports, feature requests, etc.

        In general, our users’ voice is very important to us.

  • Saria Hajjar

    yeah… because if any information was exposed they would happily say “dear user, your information was exposed”.
    i hear loosing customers is a good thing!
    for crying out loud! do you take us as some dumb-a$s users?