GHSA-H624-WRJ8-HR3R

Vulnerability from github – Published: 2022-05-24 22:01 – Updated: 2022-05-24 22:01
VLAI?
Details

Viber through 11.7.0.5 allows a remote attacker who can capture a victim's internet traffic to steal their Viber account, because not all Viber protocol traffic is encrypted. TCP data packet 9 on port 4244 from the victim's device contains cleartext information such as the device model and OS version, IMSI, and 16 bytes of udid in a binary format, which is located at approximately offset 0x40 of this packet. Then, the attacker installs Viber on his device, initiates the registration process for any phone number, but doesn't enter a pin from SMS. Instead, he closes Viber. Next, the attacker rewrites his udid with the victim's udid, modifying the viber_udid file, which is located in the Viber preferences folder. (The udid is stored in a hexadecimal format.) Finally, the attacker starts Viber again and enters the pin from SMS.

Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2019-18800"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-11-06T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Viber through 11.7.0.5 allows a remote attacker who can capture a victim\u0027s internet traffic to steal their Viber account, because not all Viber protocol traffic is encrypted. TCP data packet 9 on port 4244 from the victim\u0027s device contains cleartext information such as the device model and OS version, IMSI, and 16 bytes of udid in a binary format, which is located at approximately offset 0x40 of this packet. Then, the attacker installs Viber on his device, initiates the registration process for any phone number, but doesn\u0027t enter a pin from SMS. Instead, he closes Viber. Next, the attacker rewrites his udid with the victim\u0027s udid, modifying the viber_udid file, which is located in the Viber preferences folder. (The udid is stored in a hexadecimal format.) Finally, the attacker starts Viber again and enters the pin from SMS.",
  "id": "GHSA-h624-wrj8-hr3r",
  "modified": "2022-05-24T22:01:04Z",
  "published": "2022-05-24T22:01:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18800"
    },
    {
      "type": "WEB",
      "url": "https://thesamarkand.tumblr.com/post/188785277609/viber-messenger-remote-account-reset-0day"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.