Overview
The Rakuten Viber messaging app for Android V25.7.2.0g and Windows V25.6.0.0-V25.8.1.0, has a flaw in its TLS handshake implementation when using the Cloak proxy configuration. This flaw allows for easy identification of proxy usage, potentially compromising user anonymity.
Description
Rakuten Viber can be configured to use a proxy server. Multiple proxy configurations, including Cloak, are supported. Rakuten Viber in Android V25.7.2.0g and Windows V25.6.0.0–V25.8.1.0 exhibits a flaw in the TLS handshake implementation for Cloak mode. Cloak mode is designed to hide the fact that a proxy or VPN is in use.
However, the Cloak proxy mode has a rigid and easily identified fingerprint, making it trivially identifiable by Deep Packet Inspection (DPI) systems. This allows networks to block Viber traffic, undermining the app’s ability to circumvent censorship and potentially leading to denial of service in certain cases.
Impact
The Cloak-mode proxy traffic fails to hide the use of a proxy. The outgoing data is easily identifiable due to the rigid fingerprint and no longer appears to be normal browser TLS behavior. The user has no indication the proxy is not protecting their data.
Solution
Windows users should upgrade to V27.3.0.0 or later, and Android users should upgrade to V27.2.0.0g or later.
For continued support, Windows users can implement automatic updates for Viber.
Acknowledgements
Thanks to the reporter Oleksii Gaienko, an independent security researcher. This document was written by Laurie Tyzenhaus.
Vendor Information
Other Information
| CVE IDs: | |
| Date Public: | 2026-02-18 |
| Date First Published: | 2026-03-05 |
| Date Last Updated: | 2026-03-05 19:19 UTC |
| Document Revision: | 3 |
