[ad_1]
Android users must be aware of a serious security issue with a very popular Google Play Store app that has been downloaded hundreds of millions of times. The Go SMS Pro app is a popular messaging service that Android users have downloaded over 100 million times from the Google Play Store. But security researchers have discovered a major vulnerability with the Android app that could expose private photos, videos, and other files that have been submitted by users.
And, according to a TechCrunch post, the app’s creators haven’t fixed the issue despite being notified months ago.
In August, security researchers at Singapore-based cybersecurity company Trustwave discovered the flaw with Go SMS Pro and contacted the app’s makers about it.
The developers were given 90 days to close the vulnerability before security experts made their findings public.
However, after this date passed without hearing from the creators of the Android application Trustwave, they released details of their investigation.
READ MORE: Google rolls out a great new feature, and it’s heading to iPhone first
In an online post, Trustwave said the flaw was discovered with Go SMS Pro version 7.91, and previous and future versions are believed to be affected as well.
As with other messaging applications, Go SMS Pro allows users of the programs to send private media such as photos, videos, or files to each other.
However, the problem arises when someone using Go SMS Pro sends something to another Android user who does not have this application installed.
When this happens, the media file is sent to the recipient as a URL rather than in the application, allowing the user who receives the file to click a web link and open it in their browser.
However, the researchers found that these URLs were easy to predict as they were created sequentially.
So any nefarious party that knew how these URLs were created could easily play with them to access millions of different web addresses.
In their online study, Trustwave said: “Access to the link was possible without any authentication or authorization, which means that any user with the link can view the content.
“Also, the URL link was sequential (hexadecimal) and predictable. Additionally, when sharing media files, a link will be generated regardless of whether the recipient has the application installed.
“As a result, a malicious user could potentially access any multimedia file sent through this service and also any that is sent in the future. This obviously affects the confidentiality of the multimedia content sent through this application.”
While Karl Sigler, senior security research manager at Trustwave, told TechCrunch: “An attacker can create scripts that could launch a wide network through all the media files stored in the cloud instance.”
Trustwave said they have contacted the creators of the Go SMS Pro app multiple times since August 18 without receiving a response.
As a result, at the time of publishing its findings, Trustwave said the vulnerability still existed and presented a risk to users.
They advised anyone using the Go SMS Pro Android app not to send media files that they wish would remain private or contain sensitive data until this issue is resolved.
[ad_2]
