------------------------------------------------------------------------ Viber for Android exposes insecure Javascript interface ------------------------------------------------------------------------ Yorick Koster, April 2014 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ It was discovered that Viber's Sticker Market is affected by a remote code execution vulnerability. This is possible because the Market is loaded over an insecure connection (HTTP) in a WebView that exposes an insecure Javascript interface. Exploiting this issue allows for the execution of arbitrary Java code within the privileges of the Viber app. ------------------------------------------------------------------------ Tested versions ------------------------------------------------------------------------ This issue was successfully tested on Viber for Android version 4.3.0.712. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ As of Viber version 5.2.0.2415 (released December 15, 2014) the target SDK was change from API Level 15 to API Level 19. Due to this, this issue is no longer exploitable devices running Android 4.2 (API Level 17) and newer. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://www.securify.nl/advisory/SFY20140402/viber_for_android_exposes_insecure_javascript_interface.html https://vimeo.com/102272421
