Back

/ 3 min read

Viber channels and impersonation

This was last tested at the time of creating fauzaanu/ViberChannelPoster repo. This may not work now. Regardless, recommend everyone who is reading this to escape Viber.

Anyone who is a superadmin on a Viber channel can post as any of the other superadmins. This wouldnt be a big deal that is if you cannot add other people as superadmins.

{
"status":0,
"status_message":"ok",
"Id":"pa:75346594275468546724",
"chat_hostname":"Channel name",
"background":"https://content.cdn.viber.com/backgrounds_v1/Android/800/10000501.jpg",
"members":[
{
+ "id":"01234567890A=",
+ "name": "my name",
"avatar" :"https://example.com",
"role":"admin"
},
{
+ "id":"01234567890B=",
+ "name": "other admins name",
"avatar" :"https://example.com",
"role":"admin"
}
]
}

This is a typical response viber sends - It includes the id of every superadmin

All superadmins can see the channels’ authentication key which can be used with the Channels Post API. This key can be retrieved from the viber application.

Once you have this key you only need the id of the superadmin you want to impersonate and you can send messages as them.

A typical solution could be for viber to differentiate this key displayed in the client for each user. But since this differentiation is not implemented at all viber has to send the user_id of every superadmin in the channel because there is no way for viber to know who is using the API right now.

Viber in their docs claim that the channel’s name can be seen as the sender rather than the superadmins, however this is not true or not working as of now. The sender ids shown are the users profile rather than the channel name by default. However, from my tests I see that the random person I add to the channel does not carry the channels alias.

img.png

Here I added my friend and made him send an image.

Telegrams implementation of channels does not allow users to see who they are by default and uses signatures rather than going in the form of a chat. The channels implementation by Viber making it seem like a chat is wrong IMO. Channels are meant to be a one way communication, like an email and making it seem like a chat is wrong.

When this is a risk

This is only an issue when there is a malicious superadmin in the channel. It might not seem to be a common case at first, but perheps there is an internal conflict within the organisation. At that point any of the superadmins in the channel can make another person say something and that would definitely be a problem.

Viber’s channels are just bad. Switch to Telegram.