O Go SMS Pro, one of the most popular SMS apps for Android, was caught exposing photos, videos and files sent by its users. Totaling more than 100 million downloads, personal conversations by thousands of users are vulnerable to attackers, according to researchers from the TrustWave group.
Ordinary SMS messages do not allow you to send media, exchange files, videos or over 140 characters. However, Go SMS Pro offers these features as an “exclusive advantage”, through a controversial method: when sending some very large content, it is sent to the app’s servers, which forward an access link to the recipient.
This means of sharing files, however, exposes all users to the access of onlookers. When without the app, the recipient receives an access link to access via the mobile browser; and this versatility leaves the content exposed to anyone who has the link, since it does not have any type of authentication.
In addition, the file identifier within the URL for accessing the content is a sequential hexadecimal number. Identifying them is a simple process that can be taken to automated systems, generating scripts for accessing other people’s files. Considering that messages can be used to share personal documents, this vulnerability becomes even more serious.
Furthermore, none of the messages exchanged by users are protected by any type of encryption. Then, if intercepted by an attacker, all of its content will be visible, including links to media access on the company’s servers.
No resolution signal
The TrustWave group reports that the flaw was discovered on August 18 in version 7.91 of Go SMS Pro and that it tried to contact the app’s developers, the “Best Free Video Editor & Video Maker Dev Communication” four times. At no time did the company respond to requests for repair and, therefore, the failure was disclosed to the public.
Internationally, sites like The Verge and TechCrunch they also tried to contact before publishing their news. However, they were answered automatically with a “full mailbox” warning. The website of the company responsible for Go SMS Pro is down, displaying only an error message from the web server, in clear signs of abandonment.
Therefore, there is no provision for correcting the problem. The recommendation is: if you are an app user, try to delete your app data and immediately stop using it to exchange messages.