Go SMS Pro, one of the most popular messaging apps for Android, is exposing photos, videos and other files sent privately by its users.
A security weakness discovered in the GO SMS Pro Android app can be exploited to publicly expose media sent using the app, according to researchers.
This data leak affects more than 100 million people who installed Go SMS Pro, one of the most popular messaging apps around. Anyone who exchanged files on the app may have accidentally exposed their private data without knowing it.
Researchers at Trustwave SpiderLabs said that private voice messages, videos messages and photos are all at risk of being compromised by a trivially exploitable flaw in version 7.91.
An intelligent hacker or cybercriminal could guess an attachment URL (in the hexadecimal sequence) and see its contents with enough time. To understand the vulnerability, readers must note that this app allows users to share files with anyone regardless of whether or not the recipient has the app or not.
When a user sends a multimedia message, the recipient can receive it even if they don’t themselves have GO SMS Pro installed. In that case, the media file is sent to the recipient as a URL via SMS, so the person can click on the link to view the media file in a browser window.
Trustwave shared its findings with TechCrunch, which tested and confirmed the flaws themselves. They were able to view private images like a screenshot with bank information, an order confirmation with a home address and an arrest record.
Worse, the app maker has done nothing to fix the bug. Security researchers at Trustwave discovered the flaw in August and contacted the app maker with a 90-day deadline to fix the issue, as is standard practice in vulnerability disclosure to allow enough time for a fix. But after the deadline passed without hearing back, the researchers went public.
Karl Sigler, senior security research manager at Trustwave, said while it wasn’t possible to target any specific user, any file sent using the app is vulnerable to public access. “An attacker can create scripts that could throw a wide net across all the media files stored in the cloud instance,” he said.
It is nonetheless a concerning bug, Sigler added. He said that because an attacker can’t directly target specific users, “I wouldn’t consider this a critical severity…but the wide net that can be thrown around potentially sensitive data certainly justifies a high severity.”
Further talking about the fix to this bug he says, A fix would include adding proper access controls in the cloud instance, implementing longer unique IDs in the URL that will prevent sequential walking through the data, or simply taking down the cloud instance entirely until the issue can be addressed.
In case you are a GO SMS Pro user, this is how you can protect your information.
- Even though there hasn’t been a fix to the bug yet which will be able to protect your files that you have already sent. We highly recommend you to stop using the app to send private media files until the GO SMS Pro’s developers give an “ all clear sign”.
- Before sending any files through the app, always keep in mind that it can be viewed by anyone out there.
- Until the bug gets a fix, you can switch to more secure messaging apps which have encrypted options that will protect your files.
This hasn’t been the only data leak which became a security nightmare for millions of people this year.
Because earlier this year, an unsecured server belonging to Microsoft exposed the data of more than 250 million users. This included email addresses that hackers and scammers could use for criminal activities.