Last week, we noted that popular communications app Viber was hacked by the Syrian Electronic Army, which led to aspects of Viber’s website being defaced with the message “The Israeli-based “Viber” is spying and tracking you.”
Today, reader Peter Wells points out that Viber’s App Store description has been defaced as well. If this new app description was tainted by the Syrian Electronic Army, it is possible that the hackers have gained access to the other various developer-facing functions.
We have reached out to Viber for comment and will update this post once they are received.
Update: Viber has commented:
A few days ago a “hacker” was able to gain access to a couple of Viber.com email accounts via a phishing attack. This has since been fixed.
Data they recovered allowed them to deface our support site and also gain access to our iTunes Connect account (App Store) at a level that allowed them to change the description text of our app – which they did a few days ago around the same time as the original defacement. We noticed this within minutes, fixed the metadata and removed this user (in fact, all users but one) from our iTunes Connect account.
Unfortunately, on Saturday this happened again. Upon further investigation we realized this is a security issue in iTunes Connect. It seems that when you remove a user, if the user is logged in, then the user stays logged in. We hope Apple fixes this issue soon, as currently we have no way to permanently disconnect this user from our iTunes Connect. We have reached out to Apple regarding this issue and are waiting on their response.
At this point, we want to reassure users, that this has no impact on the security of the Viber App, Viber System, our databases, user information, etc. It’s merely an unfortunate nuisance.