Viber attack may have been more broad than initially thought [updated]

viber logo

Internet companies beware, hackers are out in full force this month. In the past two weeks, we’ve seen Apple’s Dev Center hacked, several Instagram accounts hacked, and the popular voice and messaging service Viber attacked.

Viber claims, though, that the damage it suffered from its breach was minimal, saying the attacker only gained access to two minor support systems. But a quick glance at its App Store description suggests that wasn’t the case…

Earlier this evening, 9to5Mac pointed to the App Store description of Viber’s popular iOS app, which had clearly been defaced. The attackers replaced the text with “We created this app to spy on you, PLEASE DOWNLOAD IT!”

The site was able to grab a screenshot before the description was restored:

viber app hack

From a distance, it looks like this could be related to Apple’s Dev Center attack, but it’s not likely. 9to5Mac’s Mark Gurman suggests the hackers could have gained access to Viber’s iTunes Connect account using a phishing scam.

From the company’s initial statement on the hack:

“Today the Viber Support site was defaced after a Viber employee unfortunately fell victim to an email phishing attack. The phishing attack allowed access to two minor systems: a customer support panel and a support administration system. Information from one of these systems was posted on the defaced page.

It is very important to emphasize that no sensitive user data was exposed and that Viber’s databases were not “hacked”. Sensitive, private user information is kept in a secure system that cannot be accessed through this type of attack and is not part of our support system.

But my problem here is that Viber hasn’t been very transparent about the attack. Sure, they claim that there was no sensitive user data exposed. But they also said the hack was limited to two minor systems, which it obviously wasn’t.

As a long-time user, I think the company has some more explaining to do.

Viber was initially hacked on Tuesday, July 23rd, by the Syrian Electronic Army. The group claims the Israeli-based firm, which hosts 200 million users worldwide, is “spying and tracking” its users, and says folks should stay away.

Update: a Viber spokesman has reached out to iDB and provided the following statement:

A few days ago a “hacker” was able to gain access to a couple of Viber.com email accounts via a phishing attack. This has since been fixed.

Data they recovered allowed them to deface our support site and also gain access to our iTunes Connect account (App Store) at a level that allowed them to change the description text of our app – which they did a few days ago around the same time as the original defacement. We noticed this within minutes, fixed the metadata and removed this user (in fact, all users but one) from our iTunes Connect account.

Unfortunately, on Saturday this happened again. Upon further investigation we realized this is a security issue in iTunes Connect. It seems that when you remove a user, if the user is logged in, then the user stays logged in. We hope Apple fixes this issue soon, as currently we have no way to permanently disconnect this user from our iTunes Connect. We have reached out to Apple regarding this issue and are waiting on their response.

At this point, we want to reassure users, that this has no impact on the security of the Viber App, Viber System, our databases, user information, etc. It’s merely an unfortunate nuisance.