Sunday, July 28, 2013

Viber Attack May Have Been More Broad Than Initially Thought

Posted by el innovator Posted on 6:45 PM No comments
In the past few weeks, a lot of popular websites and apps has been hacked... At first there was Apple's dev center which was down for more than one week and from a few days there was Viber the well known chatting services and finally there was a lot of Instagram accounts which has been hacked...

Viber claims, though, that the damage it suffered from its breach was minimal, saying the attacker only gained access to two minor support systems. But a quick glance at its App Store description suggests that wasn’t the case…

Earlier today 9to5mac was able to point to the App Store description of Viber’s popular iOS app, which had clearly been defaced. The attackers replaced the text with “We created this app to spy on you, PLEASE DOWNLOAD IT!”

Here's the screenshot taken before the company restore its app description: 
From a distance, it looks like this could be related to Apple’s Dev Center attack, but it’s not likely. 9to5Mac’s Mark Gurman suggests the hackers could have gained access to Viber’s iTunes Connect account using a phishing scam.

From the company’s initial statement on the hack:
“Today the Viber Support site was defaced after a Viber employee unfortunately fell victim to an email phishing attack. The phishing attack allowed access to two minor systems: a customer support panel and a support administration system. Information from one of these systems was posted on the defaced page.
It is very important to emphasize that no sensitive user data was exposed and that Viber’s databases were not “hacked”. Sensitive, private user information is kept in a secure system that cannot be accessed through this type of attack and is not part of our support system.
 A Viber spokesman has reached out to us the following statement:
“A few days ago a “hacker” was able to gain access to a couple of Viber.com email accounts via a phishing attack. This has since been fixed.
Data they recovered allowed them to deface our support site and also gain access to our iTunes Connect account (App Store) at a level that allowed them to change the description text of our app – which they did a few days ago around the same time as the original defacement. We noticed this within minutes, fixed the metadata and removed this user (in fact, all users but one) from our iTunes Connect account.
Unfortunately, on Saturday this happened again. Upon further investigation we realized this is a security issue in iTunes Connect. It seems that when you remove a user, if the user is logged in, then the user stays logged in. We hope Apple fixes this issue soon, as currently we have no way to permanently disconnect this user from our iTunes Connect. We have reached out to Apple regarding this issue and are waiting on their response.
At this point, we want to reassure users, that this has no impact on the security of the Viber App, Viber System, our databases, user information, etc. It’s merely an unfortunate nuisance.“
So what do you think ? 
Categories:

0 comments :

Post a Comment

Share your ideas with us .. let us know your thoughts about this .

Subscribe to: Post Comments ( Atom )