One of Android’s most popular SMS messaging apps has a serious security flaw that the app developer does not appear to be interested in fixing. Photos, videos and any other type of file sent through Go SMS Pro, which has more than 100 million installs, is potentially at risk of being intercepted by a threat actor.
Back in August, security researchers at Trustwave discovered that when files were sent by a Go SMS Pro user to someone else that does not have the app, the file was sent to the app’s servers and a web address created. This address was then sent via text to the recipient so they could view the file online without installing the app.
However, Trustwave found that the web addresses created were sequential, which makes them extremely predictable. Plus, web addresses were created every time a file was shared – even between two individuals that possessed the Go SMS Pro app.
As is standard practice with vulnerability disclosures, Trustwave informed Go SMS Pro about the bug and gave them 90 days to issue a fix. That deadline passed, however, leaving the security researchers with little choice but to go public with the vulnerability.
“Trustwave attempted to contact the vendor multiple times since 18 August 2020 but did not receive any response,” a Trustwave security researcher explained. “As such, this vulnerability is still present and presents a risk to users. It is highly recommended to avoid sending media files that you expect to remain private or that may contain sensitive data using this popular messenger app, at least until the vendor acknowledges this vulnerability and remediates it.”
Although this particular vulnerability does not make it possible to target a particular user, it still remains possible to acquire highly sensitive information relatively easily. What’s more, a threat actor could potentially create a simple script that would allow them to acquire a huge number of media files in no time at all.
social experiment by Livio Acerbo #greengroundit #techradar https://www.techradar.com/news/popular-go-sms-pro-app-leaks-details-of-millions-of-users/