In this news, we discuss the Go SMS Pro is leaking confidential messages, data of millions of users exposed.
Popular messaging app Go SMS Pro leaks sensitive media exchanged between app users, according to a Trustwave study. Vulnerable user media include private voicemail messages, video messages, and photos. The development was first reported by TechCrucnh who verified Trustwave’s research. TechCrunch found a person’s phone number, a screenshot of a wire transfer, an order confirmation that included a home address, an arrest record, and explicit photos while displaying links shared through the Go SMS Pro application.
According to the report, Trustwave researchers discovered the faulty Go SMS Pro app in August and notified the app creator to fix them. However, even after the standard 90-day deadline since August 18, 2020 to resolve the issue, the creator of the app “did nothing to fix the bug.” After the deadline, researchers released information about the app’s flaws in public.
GoSMS Pro is said to have 100 million downloads from Google PlayStore and it was discovered that it publicly exposed media transferred between users of the app.
According to reports, users who do not have the app received URLs via SMS if messages were sent to them using the app. Users had to click on this URL to access the message which would open in a browser. According to research by Spider Labs, anyone without authentication or authorization who had access to the URL could open it and access sensitive media shared among users.
The research further stated that the URL link is sequential (hexadecimal) and predictable and when sharing media files, a link is generated regardless of which recipient has or does not have the app.
“As a result, a malicious user could potentially gain access to all media files sent through this service as well as any that will be sent in the future. This obviously impacts the confidentiality of multimedia content sent via this application, ”notes the research. The research further warns users to avoid sending private media files that may contain sensitive data until the vendor recognizes and fixes the vulnerability.
“An attacker can create scripts that could throw a wide network on all media files stored in the cloud instance,” said Karl Sigler, senior security research manager at Trustwave at TechCrunch.
App makers for the popular Go SMS Pro messaging app have taken no action to correct the vulnerability since learning about it in August, according to researchers who found the flaw in the app. User sensitive media can be easily accessed by anyone without any authentication or authorization.
- Popular messaging app Go SMS Pro leaks sensitive media exchanged between app users, according to a Trustwave study.
- The Go SMS Pro app generates a link when media content is shared on the platform, whether the recipient has an app or not. Recipients who do not use the app receive a link via text message that can be opened in a browser.
- Vulnerable user media includes private voicemail messages, video messages, and photos. GoSMS Pro is reportedly 100 million downloads from Google PlayStore.