CVE-2018-3987: 
NixOS vulnerability analysis and mitigation

An information disclosure vulnerability (CVE-2018-3987) was discovered in Rakuten Viber's 'Secret Chats' functionality on Android version 9.3.0.6. The vulnerability was discovered on September 5, 2018, and publicly disclosed on February 7, 2019. The vulnerability affects the secret chat feature which is designed to delete all traces of a chat either through a time trigger or direct user request (Talos Report).

The vulnerability has a CVSS v3.1 base score of 5.5 (MEDIUM) with vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The issue stems from the way Viber handles photo capture in secret chats. The application uses the 'android.media.action.IMAGE_CAPTURE' intent, which allows the native camera application to save a copy of the photo on the Android filesystem, separate from Viber's controlled storage path. When a secret chat is deleted, Viber only removes the photo from its designated path but not the copy saved by the native camera application (Talos Report).

The vulnerability results in photos taken within secret chats remaining accessible on the device even after the chat is deleted or self-destructed. These photos become accessible to all applications installed on the Android device, effectively compromising the privacy and security expectations of the secret chat feature (Talos Report).

The recommended solution is for Viber to implement its own photo capture functionality using the Camera2 class (or the deprecated Camera class for older API levels) instead of relying on the system's camera intent. This would ensure that photo data remains under Viber's direct control and is properly deleted when secret chats are removed (Talos Report).