Popular Android messaging app Go SMS Pro exposes millions of users' data

  • Popular Android messaging app Go SMS Pro exposes millions of users' data

Popular Android messaging app Go SMS Pro exposes millions of users' data

However, there's no authentication required to access these URLs, and worse, the file names/paths are sequential so it's trivial for a bad actor to enumerate through all possible URLs and download whatever GO SMS Pro users have been sending to each other - other cybersecurity researchers have done precisely this, and found all manner of information publicly available, from drivers licence photos, audio files and photos of things you wouldn't show your mother. The Verge also discovered the website listed on the app's Play Store listing doesn't load. According to researchers at Trustware SpiderLabs, version 7.91 of the application can lead to the privacy of photos, videos, and voice messages being compromised; the exploitable flaw is also yet to be fixed by the developer.

An intelligent hacker or cybercriminal could guess an attachment URL (in the hexadecimal sequence) and see its contents with enough time. Furthermore, when sharing media files, a link will be generated regardless of the recipient having the app installed.

But when the recipient doesn't have Go SMS Pro, the app sends a URL via SMS that allows the nonuser to view the file sent. It's not clear if the issue has been patched since then, but for now, if you find yourself using messaging apps that aren't made by trusted developers, it's best to uninstall them.

Trustwave shared its findings with TechCrunch this week. In viewing just a few dozen links, we found a person's phone number, a screenshot of a bank transfer, an order confirmation including someone's home address, an arrest record, and far more explicit photos than we were expecting, to be quite honest. As mentioned above, the report claims that the researchers had contacted the app maker back in August and they haven't heard from them on this matter. Trustwave has contacted the developer four times since August 18, 2020, notifying them of the vulnerability, but received no response. But after the deadline elapsed without hearing back, the researchers went public.

Google has removed the app from Play Store after they got a report of security flaws in the app. "An attacker can create scripts that could throw a wide net across all the media files stored in the cloud instance", he said.

It is advised that users should stop using the application right away until the developers release a fix for the security bug. If the recipient doesn't have Go SMS Pro installed on their devices, the media file is shared with them as a URL via regular SMS.

This hasn't been the only data leak which became a security nightmare for millions of people this year. TechCrunch also sent emails to two email addresses linked to the app, waiting for a reply.