Rakuten Viber Cloak mode in Android v25.7.2.0g and Windows v25.6.0.0–v25.8.1.0 uses a static and predictable TLS ClientHello fingerprint lacking extension diversity, allowing Deep Packet Inspection (DPI) systems to trivially identify and block proxy traffic, undermining censorship circumvention. (CWE-327)
When establishing a TLS connection, the client sends a ClientHello message containing, among other things, a list of supported ciphers and extensions. In Cloak mode, Viber always uses the same static arrangement of these parameters, creating a unique and recognizable fingerprint (known as JA3 or similar). DPI systems can compare this fingerprint with the application signature and identify the traffic as coming from Viber Cloak mode regardless of the IP address or domain used. As a result, network operators or censors can automatically block such traffic, completely neutralizing the censorship bypass function.
An attacker or network operator using DPI can reliably identify and block proxy traffic generated by the Cloak mode feature, depriving users of the ability to bypass censorship. In environments with restrictive network controls, this exposes users to disclosure of their use of anti-censorship tools.
Apply patches available from the vendor according to the references. The current version of the application is available at https://www.viber.com/en/download/. It is recommended to update as soon as possible to a version containing a fix implementing diversified TLS ClientHello extensions.
Rakuten Viber for Android version 25.7.2.0g and Rakuten Viber for Windows versions 25.6.0.0 through 25.8.1.0 (Cloak mode).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HRakuten Viber
APPRakuten9.3.0.625.6.0 – 25.8.1.0
Related vulnerabilities
Viber for Windows up to 13.2.0.39 does not properly quote its custom URI handler. A malicious website could la...
Viber through 11.7.0.5 allows a remote attacker who can capture a victim's internet traffic to steal their Vib...
A vulnerability in Viber before 10.7.0 for Desktop (Windows) could allow an attacker to execute arbitrary comm...
Viber Desktop 25.6.0 is vulnerable to HTML Injection via the text parameter of the message compose/forward int...
An exploitable information disclosure vulnerability exists in the 'Secret Chats' functionality of Rakuten Vibe...