I recently tested Viber’s new Change Phone Number feature which lets you change your phone number without losing your message history and contact list.
Because I didn’t really have a new phone number I decided to replace my number with the number of an existing mobile subscriber (let’s call him John). John didn’t have Viber at the time.
So I opened up Viber, I replaced my number with his number. Viber sent a confirmation code to John’s phone, I typed it in and Viber confirmed that I am now signed in with John’s phone number.
However, because I wanted to keep using Viber with my phone number, I did another switch: this time I replaced John’s number with my number.
Soon after that I started receiving messages from John’s friends that are on Viber. They were messaging me thinking I was John. They said they received notifications about John joining Viber and changing his phone number.
I was really confused at first. How was that even possible? Then I did some research and here’s what I think happened.
When I changed my number to John’s number, John’s friends received a notification that John has joined Viber. Then, as I changed John’s number back to my number, his friends received a notification saying John has changed his phone number. Some of those friends decided to update John’s phone number (which is actually my phone number). And because Viber synchronizes the contact list with the phone’s contact list, I now appeared as John in Viber for those certain friends of John’s.
So how can this be exploited? Well, it makes it possible for someone to impersonate people on Viber. Here is a step-by-step explanation of how it could happen. All it takes is having access to the victim’s phone.
1. Stephan has no Viber account. I want to impersonate Stephan on Viber.
2. I open Viber on my phone, I go to Change phone number and enter Stephan’s phone number.
3.Viber sends a confirmation code to Stephan’s phone. I now must find out what the code is. I can do this if I have access to Stephan’s phone. Or I could simply ask him to tell me the code in that weird SMS he just received. When I have the code I type it in and Viber identifies me by Stephan’s phone number.
4. I go to Change Phone Number and replace Stephan’s number with my number. Viber sends a confirmation code to my phone and now identifies me by my phone number.
5. While I make those changes, Stephan’s friends that are on Viber get notifications that Stephan has joined Viber and has changed his phone number. Some of Stephan’s friends see the notification and memorize his new number (which is actually my number) in their phones. Now they think that I (or rather my phone number) is Stephan.
6. Convinced Stephan has joined Viber, they start messaging him. But they are actually messaging the account that is associated with my phone number, so I get the messages.
Updated: I have received a statement from Viber on the subject. You can read it below.
At Viber – ensuring privacy, security and safety of our users and their data are of utmost importance and one of the key pillars of our application.
Our highest priority is to keep all personal information in sole possession of our users – and prevent attempts of identity theft and similar violations of personal data.
The contrived scenario enclosed in your article is neither possible or realistic, as it just cannot be implemented into the existing flow related to the “Change Phone Number” feature in Viber due to fail-proof procedure applied to the process.
Simply – but securely – an user who wishes to have his phone number changed is obliged to enter a 6-digit code received as SMS in the device that operates with the new number. This verification process ensures that the user has ownership or direct access to the telecom service identified through the new mobile number which is replacing the existing one, thus making Viber’s solution thoroughly reliable and trustworthy towards personal data shared thereupon.
This methodology is used exactly in order to eliminate all possible risks of identity frauds from happening within the app.
Having this said, we would kindly ask you to update the content of your article in a way that describes in precise and reliable detail the real product verification flow.
We believe that this gesture on your behalf would be fair to Viber’s users and online community, and would reflect ethics of correct journalism that readers and users should rely on.
I’d love to hear your thoughts on the subject, so drop a comment bellow.