漏洞标题
N/A
漏洞描述信息
Viber通过11.7.0.5允许远程攻击者窃取受害者的互联网流量并窃取他们的Viber账户,因为不是所有的Viber协议流量都加密。从受害者的设备上TCP数据包9的4244端口包含二进制格式的明文信息,如设备模型和操作系统版本、IMSI和udid的20字节,该信息位于本 packets 0x14的偏移量。然后,攻击者在他的设备上安装Viber,开始为任何电话号码注册,但不从短信中输入密码。相反,他关闭Viber。接下来,攻击者将他的udid与受害者的udid重写,修改位于Viber偏好文件夹中的 viber_udid文件(udid以十进制格式存储)。最后,攻击者再次启动Viber,并从短信中输入密码。
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
漏洞类别
N/A
漏洞标题
N/A
漏洞描述信息
Viber through 11.7.0.5 allows a remote attacker who can capture a victim's internet traffic to steal their Viber account, because not all Viber protocol traffic is encrypted. TCP data packet 9 on port 4244 from the victim's device contains cleartext information such as the device model and OS version, IMSI, and 20 bytes of udid in a binary format, which is located at offset 0x14 of this packet. Then, the attacker installs Viber on his device, initiates the registration process for any phone number, but doesn't enter a pin from SMS. Instead, he closes Viber. Next, the attacker rewrites his udid with the victim's udid, modifying the viber_udid file, which is located in the Viber preferences folder. (The udid is stored in a hexadecimal format.) Finally, the attacker starts Viber again and enters the pin from SMS.
CVSS信息
N/A
漏洞类别
N/A
漏洞标题
Viber 输入验证错误漏洞
漏洞描述信息
Viber是一套跨平台的即时通信软件。 Viber 11.7.0.5及之前版本中存在输入验证错误漏洞,该漏洞源于程序没有对所有的Viber协议流量进行加密。远程攻击者可通过捕获用户的网络流量利用该漏洞获取敏感信息。
CVSS信息
N/A
漏洞类别
输入验证错误