“Almost 100 million users have chosen the # 1 messaging app to replace the others. The new messaging application is simple, intuitive, personalized… ”. This is the first thing you could read in the Play Store about Go SMS Pro, a very popular chat application. In fact, so much so that it had been downloaded and installed about 100 million times. And we talk about it in the past tense because Google has deleted it from its store. The reason?
Exposure of user data.
As websites like TechCrunch have discovered, Go SMS Pro has a massive security flaw that potentially allows people to access sensitive content – private data – that you have sent with the application. And although the manufacturer of the app was informed of the problem months ago, the truth is that they have not released a single update in all this time to solve it.
How much and what kind of private information is leaking from the application? This is what TechCrunch has found with the profiles it has been able to see due to the bug:
– Phone number of a person
– Screenshot of a bank transfer
– Order confirmation that included someone’s home address
– Arrest record and “much more explicit photos than we expected, to be quite honest,” according to cybersecurity reporter Zack Whittaker
The problem is in the URL
Go SMS Pro uploads all media files that are sent to the Internet and makes them accessible with a URL, according to a Trustwave report. When you send a media message through Go SMS Pro, such as a photo or video, the application uploads the content to its servers, creates a URL pointing to it, and sends that URL to the recipient. If the recipient also has Go SMS Pro, the content appears directly in the message, but the application continues to upload the file and continues to create that link for public access on the Internet.
That URL is where the problem lies: No authentication is required to look at the link, which means that anyone who has it can see the content it hosts. And the URLs generated by the application apparently have a sequential and predictable address, which means that anyone can look at other files just by changing the correct parts of the URL.
In theory, you could even write a script to auto-generate sequential URLs so that you can quickly find and navigate through a lot of private content shared by people using Go SMS Pro.
Worse still, the app developer has not responded, so it is unclear if this vulnerability will ever be fixed. The Trustwave website said it has contacted the developer “up to 4 times since August 18, 2020 to notify him about the vulnerability, with no response.” TechCrunch tried to send two emails connected to the app, and one of them bounced with a message saying that the inbox for that address was full.
Another email was opened but was not answered, and a follow-up email has not been opened. The Verge outlet tried to contact the developer for a comment via an email listed on the Play Store, but the email was returned with a “recipient’s inbox full” message. And the developer’s website listed in the Play Store seems to be broken.