Go SMS Pro Messaging App Exposed Users' Private Media FilesGo SMS Pro Messaging App Exposed Users' Private Media Files
The popular Android app uses easily guessable Web addresses when users send private photos, videos, and voice messages.
November 20, 2020

A security vulnerability in Go SMS Pro, a popular Android messaging app, exposes the private photos, videos, and voice messages of millions of users, researchers report.
Researchers with Trustwave SpiderLabs discovered the weakness in version 7.91 of Go SMS Pro, which has more than 100 million users. While it's unclear which other versions are affected, it's believed previous and potentially future versions are vulnerable to the same problem, they say.
Go SMS Pro, like many other messenger applications, lets people send private media to other users. If a recipient has the app, the media appears within the app. If a recipient doesn't have Go SMS Pro, the media file is sent as a Web address via SMS and then opened within a browser.
Researchers found these links could be accessed without any authentication or authorization, so anyone who has a link can view the content. They also learned the URL links are sequential (hexadecimal) and predictable, meaning an attacker could increment the value in a specific URL to view or listen to other users' media messages without authentication.
"As a result, a malicious user could potentially access any media files sent via this service and also any that are sent in the future," researchers write in a blog post. "This obviously impacts the confidentiality of media content sent via this application." An attacker could use a simple bash script to create a sample list of URLs and potentially steal masses of user data, they note.
Trustwave discovered the vulnerability in August and attempted to contact the app vendor multiple times. The company did not respond, meaning this vulnerability still presents a risk to users. Researchers advise against sending media files that may contain sensitive data until the flaw is patched.
Read the full Trustwave SpiderLabs blog for more details.
About the Author(s)
You May Also Like
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication Methods
Oct 26, 2023Modern Supply Chain Security: Integrated, Interconnected, and Context-Driven
Nov 06, 2023How to Combat the Latest Cloud Security Threats
Nov 06, 2023Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and Phishing
Nov 01, 2023SecOps & DevSecOps in the Cloud
Nov 06, 2023