Unpatched Bug in GO SMS Pro App Exposes Millions of Media Messages
The app, that has more than 100 million installs on the app's Google Play listing, is said to have exposed private voice messages, video messages, and photos publicly.
Go SMS Pro, a preferred SMS application for millions of users was found leaking user data, potentially affecting millions of users. If the other person did not have the Go SMS Pro app installed a link was shared with them using regular SMS that allowed them to view the file in their browser.
What's truly concerning is that the security researchers over at Trustwave informed the chat app's developer about this issue three months ago, but after not receiving a response to any of their numerous emails they made a decision to go public with this so that users can be informed and can avoid using this app or at the very least sharing any kind of multimedia through it.
The vulnerability stems from the manner media content is displayed when recipients don't have the GO SMS Pro app installed on their devices, leading to potential exposure.
Apart from leaking messages, it also leaked private photos, financial transaction details, private messages, all part of SMS, on the web.
It is advised that users should stop using the application right away until the developers release a fix for the security bug.
After reports came out, Google did not take any action and just removed the app from Google Play Store.
But when the recipient doesn't have Go SMS Pro, the app sends a URL via SMS that allows the nonuser to view the file sent. Using a test URL provided, then changing the sequencing numbers, SiliconANGLE was able to replicate the vulnerability quickly, finding a screenshot someone had sent to another user of their bank account balance at Scotiabank and in another case a love message. Even if the users have shared the links, Go SMS Pro was following and could be predicted whoever know about generating links.
A report by security researchers at TrustWave was first shared with TechCrunch. However, the China-based company didn't respond and confirm whether the issue was fixed. They can also connect to your Instagram DMs if you update your Instagram app, and you have the option to encrypt your conversations. There are many users who do not use the default messaging app as they want a more powerful app or more customizable app.
TechCrunch and TrustWave, both have tried reaching the developers of Go SMS Pro but none of them have received a response.