CVE-2019-18800 in Viber
Summary
by MITRE
Viber through 11.7.0.5 allows a remote attacker who can capture a victim's internet traffic to steal their Viber account, because not all Viber protocol traffic is encrypted. TCP data packet 9 on port 4244 from the victim's device contains cleartext information such as the device model and OS version, IMSI, and 16 bytes of udid in a binary format, which is located at approximately offset 0x40 of this packet. Then, the attacker installs Viber on his device, initiates the registration process for any phone number, but doesn't enter a pin from SMS. Instead, he closes Viber. Next, the attacker rewrites his udid with the victim's udid, modifying the viber_udid file, which is located in the Viber preferences folder. (The udid is stored in a hexadecimal format.) Finally, the attacker starts Viber again and enters the pin from SMS.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/05/2024
This vulnerability in Viber versions through 11.7.0.5 represents a sophisticated account takeover attack that exploits weak encryption practices in the application's communication protocol. The flaw exists in the Viber protocol implementation where not all traffic is properly encrypted, creating a window of opportunity for man-in-the-middle attackers who can intercept network communications. The vulnerability specifically targets the authentication and registration process, allowing attackers to hijack legitimate user accounts through passive traffic interception rather than active exploitation.
The technical implementation of this attack relies on the fact that TCP data packet 9 on port 4244 contains sensitive cleartext information that is not properly secured during transmission. This packet includes the victim's device model, operating system version, IMSI (International Mobile Subscriber Identity), and a 16-byte udid (unique device identifier) stored in binary format at approximately offset 0x40. This cleartext exposure violates fundamental security principles and creates a direct pathway for attackers to obtain the necessary device identification information required for account takeover.
The operational impact of this vulnerability is significant as it enables remote attackers to completely compromise user accounts without requiring any active interaction with the victim beyond network interception. The attack chain demonstrates a sophisticated understanding of mobile application architecture and authentication mechanisms. The attacker does not need to know the victim's password or have any direct access to their device, but instead can leverage the cleartext information to impersonate the victim's device within the Viber ecosystem. This type of attack falls under the ATT&CK framework category of credential access through network sniffing and credential dumping techniques.
The exploitation process involves multiple stages that demonstrate the vulnerability's severity and the lack of proper device authentication mechanisms. After capturing the cleartext packet, the attacker must first install Viber on their own device and initiate the registration process without completing the SMS verification. The critical step involves modifying the viber_udid file in the application's preferences folder, effectively replacing their own device identifier with the victim's legitimate device identifier. This modification requires the attacker to understand the application's file structure and storage mechanisms, which indicates a deep knowledge of the mobile application's internal workings.
This vulnerability aligns with CWE-312 (Cleartext Storage of Sensitive Information) and CWE-319 (Cleartext Transmission of Sensitive Information) categories, highlighting the fundamental security flaws in how sensitive data is handled and transmitted. The weakness in the Viber protocol design represents a failure to implement proper end-to-end encryption for all communication channels, particularly during the initial registration and authentication phases. The attack pattern also demonstrates characteristics of credential stuffing and device impersonation techniques that are commonly associated with mobile application security vulnerabilities.
The mitigation strategies for this vulnerability require comprehensive protocol redesign and implementation of proper encryption standards throughout all communication channels. Applications must ensure that all sensitive information including device identifiers, user credentials, and authentication tokens are properly encrypted during transmission. The fix should involve implementing TLS encryption for all network communications and ensuring that device identifiers are not transmitted in cleartext format. Additionally, server-side authentication mechanisms should include device binding verification and multi-factor authentication to prevent unauthorized account access even if device identifiers are compromised. The vulnerability also underscores the importance of secure coding practices and the need for regular security audits of mobile application communication protocols to prevent similar issues in the future.