Unpatched Bug in GO SMS Pro App Exposes Millions of Media Messages

Go SMS Pro Messaging App Pulled from Google Play Following Privacy Issues

The app, that has more than 100 million installs on the app's Google Play listing, is said to have exposed private voice messages, video messages, and photos publicly.

Go SMS Pro, a preferred SMS application for millions of users was found leaking user data, potentially affecting millions of users. If the other person did not have the Go SMS Pro app installed a link was shared with them using regular SMS that allowed them to view the file in their browser.

What's truly concerning is that the security researchers over at Trustwave informed the chat app's developer about this issue three months ago, but after not receiving a response to any of their numerous emails they made a decision to go public with this so that users can be informed and can avoid using this app or at the very least sharing any kind of multimedia through it.

The vulnerability stems from the manner media content is displayed when recipients don't have the GO SMS Pro app installed on their devices, leading to potential exposure.

Apart from leaking messages, it also leaked private photos, financial transaction details, private messages, all part of SMS, on the web.


It is advised that users should stop using the application right away until the developers release a fix for the security bug.

After reports came out, Google did not take any action and just removed the app from Google Play Store.

But when the recipient doesn't have Go SMS Pro, the app sends a URL via SMS that allows the nonuser to view the file sent. Using a test URL provided, then changing the sequencing numbers, SiliconANGLE was able to replicate the vulnerability quickly, finding a screenshot someone had sent to another user of their bank account balance at Scotiabank and in another case a love message. Even if the users have shared the links, Go SMS Pro was following and could be predicted whoever know about generating links.

A report by security researchers at TrustWave was first shared with TechCrunch. However, the China-based company didn't respond and confirm whether the issue was fixed. They can also connect to your Instagram DMs if you update your Instagram app, and you have the option to encrypt your conversations. There are many users who do not use the default messaging app as they want a more powerful app or more customizable app.

TechCrunch and TrustWave, both have tried reaching the developers of Go SMS Pro but none of them have received a response.

Related:

Comments

Latest news

COVID-19: Prior coronavirus infection 'offers protection for at least six months'
It comes after a much larger study by Imperial College found that antibodies declined by about 25 per cent three months after infection.

Boris Johnson unveils the UK's biggest military budget in 30 years
He outlined plans on Thursday for a new space command, an artificial intelligence agency and said the navy would be restored as Europe's most powerful.

Ethiopia crisis: Aid agencies call for immediate ceasefire in Tigray
A communications blackout in Tigray has made claims hard to verify, but the overall death toll is believed to be in the hundreds. The government did not immediately respond to requests for comment although it has previously denied bombing civilian targets.

Meghan Markle will ‘never dare come back to London
She claims that she did not cut ties with Thomas , but only convinced him to stop communicating with the press - but he did not heed her requests.

Microsoft launches new platform to bring its cloud to space
Microsoft said it will mostly be used for customers "who need cloud computing capabilities in hybrid or challenging environments, including remote areas".

Other news