Viber Desktop HTML Injection Vulnerability

A vulnerability allowing HTML injection has been identified in Viber Desktop version 25.6.0. This issue arises in the message compose and forward interface, where the text parameter can be manipulated to include unsanitized HTML. While the Viber client seems to restrict script execution, it still allows the loading of external resources, such as images, from attacker-controlled domains. This could be exploited for user tracking, UI manipulation, phishing, and privacy leakage.

Impact

Exploitation of this vulnerability could lead to unauthorized loading of images or resources from attacker-controlled domains, potentially causing IP or metadata leakage. Additionally, it could allow manipulation of the message user interface, creating opportunities for social engineering attacks. This vulnerability could also be combined with other issues to increase its impact.

Remediation

To address this vulnerability, it is recommended to treat the text parameter as plain text and avoid rendering HTML by default. User-supplied input should be properly escaped or encoded before being displayed in the client. Furthermore, external resource loading from forwarded messages should be blocked or routed through a sanitizing proxy to remove or clean such requests.