CVE-2018-3987 in Viber
Summary
by MITRE
An exploitable information disclosure vulnerability exists in the 'Secret Chats' functionality of Rakuten Viber on Android 9.3.0.6. The 'Secret Chats' functionality allows a user to delete all traces of a chat either by using a time trigger or by direct request. There is a bug in this functionality which leaves behind photos taken and shared on the secret chats, even after the chats are deleted. These photos will be stored in the device and accessible to all applications installed on the Android device.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/30/2024
The vulnerability described in CVE-2018-3987 represents a critical information disclosure flaw within Rakuten Viber's Secret Chats functionality on Android devices. This security issue specifically affects version 9.3.0.6 of the Viber application and demonstrates a fundamental failure in the application's secure deletion mechanisms. The flaw manifests when users attempt to delete secret chats through either time-triggered deletion or manual deletion requests, creating a scenario where sensitive multimedia content remains accessible on the device despite the chat deletion process. This vulnerability directly contradicts the core security promise of secret chats, which should provide complete erasure of communication content upon user request. The issue falls under the category of improper data handling and secure deletion practices, representing a significant deviation from expected security controls for encrypted messaging applications.
The technical implementation flaw involves the incomplete removal of multimedia files from the device's storage system when secret chats are deleted. While the chat metadata and text messages may be properly removed, the photos shared within these secret chats persist in the device's file system and become accessible to other applications with appropriate permissions. This occurs because the application fails to properly clean up all associated files and directories that contain the shared media content. The vulnerability is particularly concerning as it bypasses the expected security boundaries that should isolate sensitive data from other applications. According to CWE standards, this represents a weakness in data sanitization and secure deletion processes, specifically categorized under CWE-200 for exposure of sensitive information and CWE-312 for exposure of sensitive data through improper deletion. The flaw essentially creates a data leakage channel that undermines the confidentiality guarantees typically associated with encrypted communication systems.
The operational impact of this vulnerability extends beyond simple data exposure to create a comprehensive security risk for users of the Viber application. Attackers with malicious intent could potentially access these retained photos through other applications or by exploiting additional vulnerabilities in the Android operating system, particularly those with storage access permissions. The persistent nature of these files means that even if a user believes they have securely deleted sensitive conversations, the associated multimedia content remains accessible to unauthorized parties. This vulnerability significantly impacts user trust in the application's security claims and creates potential risks for individuals who share sensitive or private content through secret chats. The exposure of these photos could lead to privacy violations, identity theft, or other malicious activities depending on the nature of the shared content. This issue particularly affects the confidentiality and integrity aspects of the security model, as defined in the ATT&CK framework under T1531 for Exfiltration of Data and T1021 for Remote Services, where the retained media files could be accessed through various system-level attack vectors.
Mitigation strategies for this vulnerability require both immediate application-level fixes and broader security awareness measures. Application developers must implement comprehensive secure deletion mechanisms that properly clean up all associated files and directories when secret chats are deleted, ensuring that no residual data remains accessible to other applications. This includes implementing proper file system cleanup routines and verifying that all temporary and persistent storage locations are properly purged. Users should be advised to avoid sharing sensitive content through secret chats until the vulnerability is properly addressed, and to maintain awareness of the application's security limitations. Additionally, system administrators and security professionals should monitor for potential exploitation attempts through other attack vectors that might leverage the presence of these retained files. The fix should incorporate proper file system cleanup procedures, implement robust verification mechanisms to confirm complete deletion, and ensure that all multimedia content associated with secret chats is properly sanitized during the deletion process. This vulnerability highlights the importance of comprehensive security testing, particularly for applications handling sensitive data, and underscores the necessity of proper secure deletion implementation as outlined in industry security standards and best practices.