The messaging app Go SMS Pro, which has over 100 million installs from the Google Play Store, has a huge security flaw that allows people to access sensitive content you send using the app. And even though the app’s creator was notified of the issue months ago, they haven’t made updates to fix what’s happening.
To give you an idea of how much information the app leaks, here’s what TechCrunch Were able to find: “After looking at just a few dozen links, we received an order confirmation, including a person’s phone number, a bank transfer screenshot, someone’s home address, arrest records, and more explicit photos than we expected,” to be fair, “the cyber security reporter said. Zack Whitaker says not great.
Here’s what’s going on: In Trustwave’s report, Go SMS Pro uploads every media file you send to the Internet and makes those files accessible from the URL. When you send a message to the media via Go SMS Pro, such as a photo or video, the app uploads the content to its server, creates a pointing URL, and sends that URL to the recipient. If the recipient also has Go SMS Pro, the content appears directly in the message – but the app still uploads the file and creates a publicly accessible link on the Internet.
That’s the URL where the trouble is. No certificate is required to view the link, meaning whoever has it can view the content inside. And the URLs generated by the application have an apparently sequential and approximate address, which means that anyone can see other files by simply changing the right part of the URL. Theoretically, you can also write a script to automatically generate a sequential URL so you can quickly find and browse a lot of private content shared by people using Go SMS Pro.
Worst of all, the app’s developer is not responsive, so it’s not clear if this ambiguity will ever be corrected. Trustwave said it has been contacting the developer since August 18-20, 2020, to inform them of the vulnerability, without any reaction. TechCrunch Tried to email two email addresses associated with the application. Email at an address bounced back with a message that the inbox was full. Another email opened but did not respond, and a follow-up email was not opened. Edge Tried to reach the developer for comment via email listed on play store list, but email returned with “recipient inb box x full” message. And the developer’s website listed in the Play Store catalog appears broken.
So if you are just using Go SMS Pro and want to keep the things you share from leaking on the internet, you can find a different messaging app.
