According to Trustwave research, the popular Go SMS Pro messaging app loses sensitive media exchanged between app users. Vulnerable user media include private voice messages, video messages and photos. The development was first reported by TechCrucnh who verified Trustwave’s research. TechCrunch found a person’s phone number, a screenshot of a bank transfer, an order confirmation that includes a home address, a crash record, and explicit photos when viewing links shared via the Go SMS Pro app .
According to the report, Trustwave researchers discovered the faulty Go SMS Pro app in August and informed the app manufacturer to fix them. However, even after the standard deadline of 90 days from August 18, 2020 to fix the problem, the app maker “did nothing to fix the bug”. After the deadline, the researchers publicly posted the app’s flaws.
GoSMS Pro is rumored to have 100 million downloads on the Google PlayStore and was discovered to publicly display media transferred between app users.
According to reports, users who don’t have the app received URLs via SMS if messages were sent via the app. Users had to click on this URL to access the message that would open on a browser. According to a research by Spider Labs, anyone with no authentication or authorization, who had access to the URL could open it and gain access to sensitive media shared between users.
The research also stated that the link to the URL was sequential (hexadecimal) and predictable, and that when sharing media files, a link was generated regardless of which recipient had the app or not.
“As a result, an attacker could potentially access any media file sent through this service and also any file sent in the future. This obviously affects the confidentiality of multimedia content sent through this application, “notes the research. The research also warns users to avoid sending private multimedia files that may contain sensitive data until the vendor recognizes and fixes the vulnerability.
“An attacker can create scripts that can throw a large web over all media files stored in the cloud instance,” Karl Sigler, head of security research at Trustwave, told TechCrunch.
The app makers of the popular Go SMS Pro messaging app have taken no action to fix the vulnerability since they were notified in August, according to researchers who found the flaw in the app. Sensitive user media can be easily accessed by anyone without any authentication or authorization.
- According to Trustwave research, the popular Go SMS Pro messaging app loses sensitive media exchanged between app users.
- The Go SMS Pro app generates a link when media is shared on the platform, regardless of whether the recipient has an app. Recipients who are not using the app receive a link via SMS that can be opened in a browser.
- Vulnerable user media include private voice messages, video messages and photos. GoSMS Pro is said to have 100 million downloads on Google PlayStore.