The popular Go SMS Pro messaging app is filtering sensitive media exchanged between app users, according to research by Trustwave. Vulnerable user media include private voice messages, video messages, and photos. The development was first reported by TechCrucnh, who verified Trustwave’s research. TechCrunch found a person’s phone number, a screenshot of a bank transfer, an order confirmation that included a home address, an arrest record, and explicit photos while viewing links shared through the Go SMS Pro app.
According to the report, Trustwave researchers discovered the faulty Go SMS Pro app in August and advised the app maker to fix them. However, even after the standard 90-day time frame from August 18, 2020 to fix the problem, the app manufacturer “has done nothing to fix the error.” After the deadline, the researchers posted about the app’s flaws in public.
GoSMS Pro is said to have 100 million downloads on the Google PlayStore and was found to publicly expose transferred media between app users.
Users who do not have the app are reportedly receiving URLs via SMS if any messages are sent to them using the app. Users had to click on this URL to access the message that would open in a browser. According to research by Spider Labs, anyone without authentication or authorization who had access to the URL could open it and gain access to sensitive media shared between users.
The investigation further indicated that the URL link was sequential (hexadecimal) and predictable and that when sharing media files, a link was generated regardless of whether the recipient had the application or not.
“As a result, a malicious user could access any multimedia file sent through this service and also any that is sent in the future. This obviously affects the confidentiality of multimedia content sent through this application,” the investigation notes. The investigation also warns users to avoid sending private media files that may contain sensitive data until the vendor recognizes and fixes the vulnerability.
“An attacker can create scripts that could launch a wide network through all the media files stored in the cloud instance,” Karl Sigler, senior manager of security research at Trustwave, told TechCrunch.