It turned out that the messaging app Go SMS Pro, with over 100 million downloads on Google Play, has a major vulnerability that potentially allows access to sensitive content that users send using the app. While the app’s manufacturer was informed about the problem months ago, it hasn’t made any updates to fix the issue that occurred.
To give you an idea of how much information the app is leaking, you can refer to the following information TechCrunch can find: “While viewing only a few dozen links, to be fairly honest, an order confirmation that includes a person’s phone number, a screenshot of a bank transfer, and someone’s home address. , arrest record and photos that are much clearer than we expected. ” says cybersecurity reporter Zack Whittaker.
According to a report prepared by Trustwave, Go SMS Pro uploads every media file you send to the other party, and makes these files accessible with a URL. When you send a message with media such as a photo or video via Go SMS Pro, the app uploads the content to its servers and generates a URL showing it and sends it to the recipient. If the recipient also has Go SMS Pro, the content appears directly in the message. However, the app still uploads the file and still creates a publicly accessible link on the internet.
The problem is caused by this URL. No authentication is required to view the link, meaning anyone with the link can view the content in it. And the URLs generated by the app seem to have a sequential and predictable address, which means anyone can look at other files by simply changing the correct parts of the URL. In theory, you could even write a script to automatically generate the sequential URLs, so you can quickly find and browse through many private content shared by people using Go SMS Pro.
Even worse, the developer of the app did not respond to complaints about this issue. Therefore, it is unclear whether the vulnerability in question will be fixed or not. Trustwave has contacted the developer four times since August 18, 2020, notifying them of the vulnerability, but received no response. TechCrunch also sent emails to two email addresses linked to the app, waiting for a reply. Email sent to an address returned with a message that the inbox was full. Another email was opened but not replied and a follow up email was not opened. Meanwhile, the website listed in the developer’s Play Store listing appears to be corrupt.