One of the popular messaging apps, Go SMS Pro, has a security flaw that exposes user’s media files, including private voice messages, video messages, and photos shared using the app. Worse, the security flaw is yet to be fixed despite the 90-day notice given to the developer.
According to researchers from Trustwave, any media sent using the app is uploaded to the Go SMS Pro’s servers, and a unique URL assigned to it that a user can share with the recipient.
If the recipient uses the Go SMS Pro app, once the link is received, they’ll instantly view the file without any action.
But if they don’t have the app, they can still tap on the URL to view the media sent without any authentication required. That means that anyone with the URL can also gain access to these media files.
Also, the researchers found that these URLs are sequential and predictable.
And given that the app generates these addresses regardless of whether the recipient has Go SMS Pro as their messaging client or not, an attacker could have access to millions of data stored on the company’s server as long as they can get their hands on the addresses.
Trustwave says, “a malicious user could potentially access any media files sent via this service and also any that are sent in the future.” Of course, unless the vulnerability is fixed.
TrustWave reached out to the app developer in August after discovering the issue but did not receive any response.
Any further attempts to reach the developer have also failed, and no update has been shipped out to fix the impending danger.
Go SMS Pro is one of the popular messaging apps on Android, with more than a 100million installs on Google Play. If you have the app installed, it’s time to uninstall it.