The TechCrunch technology portal has reported that the Go SMS Pro app, one of the most popular messaging applications for Android, is exposing photos, videos and other files sent privately by its users. Worse still, the app builder has done nothing to fix the error.
Security researchers at Trustwave discovered this issue in August. They contacted the app maker with 90 days to fix the issue, as is standard practice in vulnerability disclosure to allow enough time for a fix without affecting the brand’s reputation. Once the term had passed, turning a deaf ear to the complaint, the researchers decided to make their finding public in order to warn users of this serious vulnerability.
Can access multimedia files
When a Go SMS Pro user sends a photo, video or other file to someone who does not have the application installed, the application uploads the file to their servers and allows the user to share a web address via text message so that the recipient can view the file without installing the application.
But the researchers found that these web addresses were sequential. In fact, every time a file was shared, even among application users, a web address would be generated independently. That meant that anyone who knew about the predictable web address could have gone through millions of different web addresses sequentially thus accessing the files of thousands of users.
More than 100 million possible infected users
Go SMS Pro has more than 100 million installs, according to its listing on Google Play. At TechCrunch they decided to put the researcher’s findings to the test. Looking at just a few dozen links, they found a person’s phone number, a screenshot of a bank transfer, an order confirmation that includes someone’s home address, an arrest record, and much more explicit photos. than we expected, to be quite honest.
Karl Sigler, Senior Security Research Manager at Trustwave, said that while it was not possible to target any specific user, any file sent with the app is vulnerable to public access. “An attacker can create scripts that could launch a wide net on all the media files stored in the cloud instance,” he said.
Removed from the Play Store
Given everything that happened, and the presence of the case in specialized media, the thing has been radically resolved: Not with Go SMS Pro developers fixing their application, but with Google deleting it directly from its Play Store. so it is no longer available. If you have it for whatever reason, better uninstall it from your mobile.