Popular third-party messaging app GO SMS Pro has been found to contain a major security flaw. Security researchers at Trustwave discovered a vulnerability on the app that could allow anyone to access photos, videos, and other media files transferred privately between its users.
Like any other messaging app, GO SMS Pro also lets users send media files such as photos and videos, as well as text messages, to others. If the recipient has the app installed, they will receive the media files directly on the app. However, if the other party doesn't have the app installed, GO SMS Pro uploads the file to its servers and shares a URL with them. The recipient can then access the file by opening the web address in a browser.
But the researchers at Trustwave discovered that these web addresses were sequential and predictable. So anyone could predict the web addresses and get access to files that are intended for someone else. Scary, right? Well, the fact that GO SMS Pro would generate such URLs for every file sent through it – even between two app users – is even more alarming.
Tweaking a URL is enough to access someone else's messages. And with a simple script, an attacker could easily harvest a lot of private data in no time. Viewing just a few dozen links, TechCrunch could find "a person's phone number, a screenshot of a bank transfer, an order confirmation including someone's home address," and several compromising photos.
GO SMS Pro developers have done nothing to fix this security flaw
Trustwave discovered this vulnerability on GO SMS Pro in August. As a standard practice in vulnerability disclosure, they contacted the developers of the app with a 90-day deadline to fix the issue. However, the developers never reached them back, even after multiple reminders. Now that the deadline has elapsed, the Singaporean cyber-security firm has gone public with the discovery.
With over 100 million installs globally, GO SMS Pro is one of the most popular third-party messaging apps. Trustwave discovered the bug in v7.91 of the app. However, they suspect the bug is likely to affect the previous as well. And if not fixed, the future versions as well. So one can only imagine how much sensitive data the app could be exposing over the years and in the coming times.
Google has taken down GO SMS Pro from the Play Store since this report came out. However, it is already in millions of phones around the world. You might want to stay away from it until and unless the developers acknowledge this finding and fix the bug.