Modernizing Authentication — What It Takes to Transform Secure Access
Bkav Corporation researchers recently uncovered a critical vulnerability in the Viber VoIP app for Android, which boasts more than 140 million users worldwide. The vulnerability makes it extremely easy for an attacker to bypass the smartphone's lock screen (h/t Sophos).
According to the Bkav researchers, the procedure required to bypass the lock screen is simple. You send a Viber message to the victim's phone, then leverage the Viber message popups to make the Viber keybaord appear. Once the keyboard is accessible, the next step varies by device -- creating a missed call on the victim's phone, pressing the Back button, etc. -- and you have full access to the victim's device.
"The way Viber handles to popup its messages on smartphones' lock screen is unusual, resulting in its failure to control programming logic, causing the flaw to appear," Nguyen Minh Duc, director of Bkav's Security Division, said in a statement.
The researchers say they reported the flaw to Viber last week, but didn't receive a response. Until a patch is released, they recommend keeping a close eye on any smartphones that have the app installed.