The hacking saga began this week with Tango and now Viber has joined the ranks of those websites and services compromised by the Syrian Electronic Army, alongside the Twitter accounts of various news outlets.
Earlier today, The Hacker News reported that Viber’s support subdomain had been defaced with a “Hacked by Syrian Electronic Army” banner and an apparent screenshot of a device database.
“Dear All Viber Users [sic], the Israeli-based ‘Viber’ is spying and tracking you,” reads a message at the top. “We weren’t able to hack all Viber systems, but most of it is designed for spying and tracking.”
Since then, the page has been taken down by Viber, who confirmed the attack:
“Today the Viber Support site was defaced after a Viber employee unfortunately fell victim to an email phishing attack. The phishing attack allowed access to two minor systems: a customer support panel and a support administration system. Information from one of these systems was posted on the defaced page.
It is very important to emphasize that no sensitive user data was exposed and that Viber’s databases were not “hacked”. Sensitive, private user information is kept in a secure system that cannot be accessed through this type of attack and is not part of our support system.
We take this incident very seriously and we are working right now to return the support site to full service for our users. Additionally, we want to assure all of our users that we are reviewing all of our policies to make sure that no such incident is repeated in the future.”
It’s not yet clear how much information was gathered from Viber’s 200 million plus users, nor if it was as large an information gather as Tango, which had 1.5TB worth of user information compromised, information that the Syrian Electronic Army vowed to hand over to the Syrian government.
The screenshot posted on Viber’s site today shows a list of phone numbers with accompanying device IDs, IP addresses, operating system and which version of Viber was used. Viber has reported that the information accessed was quite basic, however:
The data is quite basic – we want to know when user registered, where from (country), device type (helps us understand who uses Viber, detect problems, etc), UDID is an internal ID (not the Apple UDID), push token is used to communicate with users (but cannot be used by a 3rd party), etc. While this is not the most sensitive data (message content, address book, etc), we are disappointed that hackers were able to gain access to these systems. We are working, as we speak, to make sure that this will not happen again.
The system that was breached is our CSR (Customer Support). Supporters need access to this data to help users with various technical issues. Most app developers would provide their supporters with similar data.
We’ll update this story as more information comes available.