Go SMS Pro, a preferred SMS application for millions of users was found leaking user data, potentially affecting millions of users. Yet, the developers of the application have done nothing to fix the vulnerability.
A report by security researchers at TrustWave was first shared with TechCrunch. The report revealed that the app was discovered to publicly expose media transferred between users of the app.
This exposure includes private voice messages, video messages, and photos. This means any sensitive media shared between users of this messenger app is at risk of being compromised by an unauthenticated attacker or curious user.
To explain the exact bug, Go SMS Pro like other messenger apps, allows users to send private media to other users as demonstrated below. If the recipient has the GO SMS Pro app on their device, the media would be displayed automatically within the app.
In case the other person doesn’t have the Go SMS Pro app installed, the app generates a link for the file and sends that link to the recipient to access the file. However, it was found that accessing the link was possible without any authentication or authorisation, meaning that any user with the link is able to view the content.
In addition, the URL link was sequential (hexadecimal) and predictable. Furthermore, when sharing media files, a link will be generated regardless of the recipient having the app installed.
TechCrunch and TrustWave, both have tried reaching the developers of Go SMS Pro but none of them have received a response. TrustWave discovered the vulnerability back in August and tried reaching the team multiple times but received no response, because of which they had to go public with the findings after the 90-day deadline given for solving the issue.
It is advised that users should stop using the application right away until the developers release a fix for the security bug.