AppsCYBER SECURITYNews

Go SMS Pro Flaw Exposes Millions of Private Photos and Media Files

Uninstall the app already!


One of the popular messaging apps, Go SMS Pro, has a security flaw that exposes user’s media files, including private voice messages, video messages, and photos shared using the app. Worse, the security flaw is yet to be fixed despite the 90-day notice given to the developer.

According to researchers from Trustwave, any media sent using the app is uploaded to the Go SMS Pro’s servers, and a unique URL assigned to it that a user can share with the recipient.

If the recipient uses the Go SMS Pro app, once the link is received, they’ll instantly view the file without any action.

But if they don’t have the app, they can still tap on the URL to view the media sent without any authentication required. That means that anyone with the URL can also gain access to these media files.

Also, the researchers found that these URLs are sequential and predictable.

And given that the app generates these addresses regardless of whether the recipient has Go SMS Pro as their messaging client or not, an attacker could have access to millions of data stored on the company’s server as long as they can get their hands on the addresses.

Trustwave says, “a malicious user could potentially access any media files sent via this service and also any that are sent in the future.” Of course, unless the vulnerability is fixed.

TrustWave reached out to the app developer in August after discovering the issue but did not receive any response.

Any further attempts to reach the developer have also failed, and no update has been shipped out to fix the impending danger.

Go SMS Pro is one of the popular messaging apps on Android, with more than a 100million installs on Google Play. If you have the app installed, it’s time to uninstall it.

Follow us on TelegramTwitterFacebook, or subscribe to our weekly newsletter to ensure you don’t miss out on any future updates.

Facebook Comments

realme 7i Unboxing & Quick Impressions

Alvin Wanjala

Alvin is a freelance tech journalist. Talk to me via email at alvinwanjala[at]pm[dot]me

Leave us a comment

Back to top button