At the end of the last month, TQ reported that popular messaging and voice calling app Viber was hacked by the Syrian Electronic Army. As a result of this attack, Viber not only found some discrepancies in some of its systems, but the website of the popular service was also defaced by the hacker group. The intruders left the following message behind: “The Israeli-based “Viber” is spying and tracking you.” After the incident, Viber said that none of the user data was compromised during this attack and it had happened because one of its employees fell in the trap of the hacker group and opened a compromised email.
After the incident it seemed everything was in Viber’s control, but now it looks like that is not the case and on Saturday, July 27th, Peter Wells indicated that the description on App Store of Viber has been defaced too, as it reads that “We have created this app to spy on you, PLEASE DPWNLOAD IT!”. It is now feared the Syrian Electronic Army is behind this incident, as the hjacker group had previously claimed that it hacked Vibers for spying on its users. There is a possibility that the hacker group might have gained access to other developer-facing functions as well.
When 9to5Mac got in touch with Viber to have their comment on the situation, the company responded that:
“A few days ago a “hacker” was able to gain access to a couple of Viber.com email accounts via a phishing attack. This has since been fixed.
Data they recovered allowed them to deface our support site and also gain access to our iTunes Connect account (App Store) at a level that allowed them to change the description text of our app – which they did a few days ago around the same time as the original defacement. We noticed this within minutes, fixed the metadata and removed this user (in fact, all users but one) from our iTunes Connect account.
Unfortunately, on Saturday this happened again. Upon further investigation we realized this is a security issue in iTunes Connect. It seems that when you remove a user, if the user is logged in, then the user stays logged in. We hope Apple fixes this issue soon, as currently we have no way to permanently disconnect this user from our iTunes Connect. We have reached out to Apple regarding this issue and are waiting on their response.
At this point, we want to reassure users, that this has no impact on the security of the Viber App, Viber System, our databases, user information, etc. It’s merely an unfortunate nuisance.”
Source: 9to5Mac