The Go SMS Pro messaging app, which has over 100 million installations in the Google Play store, has a massive security flaw that allows people to access sensitive content sent using the app.
The worst part, however, is that the application manufacturer was informed about this problem months ago, but did not make updates to fix the problem.
What information can be accessed through the application?
“Looking at just a few dozen links, we found a person’s phone number, a screenshot of a bank transfer, an order confirmation that included their home address, an arrest file and explicit photos,” he says. Zack Whittaker, cybersecurity reporter at TechCrunch.
The process behind it sounds like this: Go SMS Pro uploads every media file sent to the internet and makes these files accessible with a URL, according to a raport al Trustwave.
When you send a message with media content via Go SMS Pro, such as a photo or video, the application uploads content to its servers, creates a URL that contains it, and sends that URL to the recipient.
If the recipient also has Go SMS Pro, the content appears directly in the message – but the application uploads the file anyway and continues to create that publicly accessible link on the internet.
URL is an issue. In order to view the content of the link, no authentication is required, which means that anyone can have access to its content.
And the URLs generated by the application have a sequential and predictable address, which means that anyone can find other files just by changing the right parts of the URL.
Theoretically, you could even write a script to automatically generate sequential URLs, so you can quickly find and browse a lot of private content shared by people using Go SMS Pro.
What is even worse is that the application developer did not respond to the notifications, so it is not clear if this vulnerability will ever be fixed. And the developer’s website listed in the Play Store listing seems to be out of order.
So, if you’re using Go SMS Pro and you don’t want the entire internet to have access to your data, you might want to look for another, more secure messaging app.