Viber has fixed a vulnerability in the company's Windows client found by a group of security experts, which included a Positive Technologies researcher. This security bug enabled attackers to steal data needed for user authentication in Windows. Users urged to update to Viber version 6.7.2
"In essence, when a link resembling http://host/img.jpg is sent during a chat, Viber would first load it as the client who sent the link. If a picture is hosted at the indicated URL, then Viber would try to download it as the receiving client. This scheme would work only if the initiating client confirmed the presence of a picture at that URL," explained Timur Yunusov, Head of the Banking Security Unit at Positive Technologies.
If the server sent a 401 "authentication required" message (instead of a picture) in response to the second request and then asked for NTLM authentication, Viber would send the user's NTLM hash.
In addition, the vulnerability made it possible to force the client to send arbitrary GET requests. This attack could, for example, be used to reprogram home routers and other devices.
"This vulnerability could be used only by an attacker whose mobile phone number was saved in the user's contact list. Therefore no mass attack on Windows users was possible. We also note that a successful attack generally required performing a whole series of GET requests, meaning that the attacker would need to send multiple links to a potential victim," commented the Viber press service. "Around six percent of our active users in Russia have used the Windows client at least once in the last month to send a message, perform calls, or view public chats."
The vulnerability in the Viber client for Windows has been fixed as of Viber version 6.7.2, which is currently available for download.