Viber

Viber Claims iTunes Flaw To Blame For App Store Account Hack

Hackers can stay logged in to iTunes Connect accounts even when they’ve been blocked, Viber claims

On by Thomas Brewster 3

Messaging app company Viber believes there is a glaring flaw in Apple’s iTunes Connect, which it has blamed for a defacement of its App Store page.

The flaw lets a hacker who is logged in to an iTunes Connect account remain logged in, even when the administrator has removed them from the list of authorised users.

Viber admitted two Viber.com email accounts had been compromised by a phishing attack, allowing the attacker to get the right login details to deface the company’s support site, as TechWeek reported last week, and gain access to its iTunes Connect account.

Viber DesktopThe defacement of the App Store page was similar to that of the Support site, claiming Viber spied on its users.

Viber attacked

Although Viber removed the user from its iTunes Connect account, the hacker, believed to be a member of the Syrian Electronic Army, remained logged in. And that has left Viber upset.

“On Saturday this happened again. Upon further investigation we realised this is a security issue in iTunes Connect,” a spokesperson said, in an emailed statement sent to TechWeek.

“It seems that when you remove a user, if the user is logged in, then the user stays logged in.

“We hope Apple fixes this issue soon, as currently we have no way to permanently disconnect this user from our iTunes Connect. We have reached out to Apple regarding this issue and are waiting on their response.”

An Apple spokesperson said it had no comment at the time of publication.

“At this point, we want to reassure users, that this has no impact on the security of the Viber App, Viber System, our databases, user information, etc. It’s merely an unfortunate nuisance,” Viber added.

What do you know about Internet security? Find out with our quiz!

Thomas Brewster
Author: Thomas Brewster
Security Correspondent, TechWeekEurope
Thomas Brewster Thomas Brewster Thomas Brewster
Techweekeurope for mobile devices
Android-App Google Currents App for iOS

Last comment




3 replies to Viber Claims iTunes Flaw To Blame For App Store Account Hack

  • On July 29, 2013 at 2:05 pm by Viber

    Hi,
    I’m an official representative from Viber.

    As mentioned in the article, a security issue in iTunes Connect allowed the same “hackers” who defaced our Support Site to change the description of our AppStore page (and that’s all). We have contacted Apple regarding this issue and are awaiting their response. Meanwhile, our AppStore page is back to normal. :)

    We want to reassure our users again: this has no impact on Viber’s security. We’re safe as always. :)

    Thanks,
    The Viber Team

    • On July 30, 2013 at 11:32 am by Marie

      “We are safe as always.”

      Viber, you have been hacked. And not only once but twice as it seems. That is exact the opposite of safe, private and secure.

      • On July 31, 2013 at 3:20 pm by Viber

        Hi Marie,
        Thank you for your comment.

        We wouldn’t call this incident “hack”. It was a very minor phishing attack that allowed the people behind it to cause superficial damage (change of pages online, and that’s it), and it was resolved within minutes in both cases.

        The second case (the AppStore description change) actually has nothing to do with the fact that we (Viber) were hacked.

        You are right, all of the above does not mean that we will ignore the whole incident. We are working hard to ensure that this will not reoccur.

        However, the main point is: at no point was sensitive information taken from anywhere in the company, and that is the most important thing for us to emphasize to our users.

        Thanks again,
        Viber.

Leave a Reply

  • Required fields are marked *,
    Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>