The Go SMS Pro messaging app, which has over 100 million installs from the Google Play store, has a huge security flaw that potentially allows people to access sensitive content that you send using the app. And although the app’s manufacturer was informed of the problem months ago, they didn’t make updates to fix what was happening.
To give you an idea of how much information the application is leaking, here’s what TechCrunch managed to find: “Looking at only a few dozen links, we found a person’s phone number, a bank transfer screenshot, an order confirmation, including someone̵
Here’s what happens: Go SMS Pro uploads every media file you send to the Internet and makes those files accessible by URL, according to a TrustWave report. When you send a media message via Go SMS Pro, such as a photo or video, the application uploads the content to its servers, creates a URL pointing to it, and sends that URL to the recipient. If the recipient also has Go SMS Pro, the content is displayed directly in the message – but the application still uploads the file and still creates this publicly available connection on the Internet.
The problem is with this URL. No authentication is required to view the link, which means that anyone who has it can view the content inside. And the URLs generated by the application obviously have a consistent and predictable address, which means that anyone can view other files just by changing the correct parts of the URL. Theoretically, you can even write a script to automatically generate sequential URLs so you can quickly find and view a lot of private content shared by people using Go SMS Pro.
Worse, the application developer is not responding, so it is unclear whether this vulnerability will ever be fixed. Trustwave said it has contacted the developer four times since August 18, 2020 to notify them of the vulnerability, with no response. TechCrunch tried to email two email addresses associated with the application. Email to one address returned with a message that the incoming mail is full. Another email was opened but not answered and a subsequent email was not opened. On the edge tried to contact the developer for comment via an email listed in the Play Store, but the email came back with the message “Inbox is full.” And the developer’s website listed in the Play Store seems to be broken.
So, if you’re using Go SMS Pro now and want to keep the things you share from leaking on the web, you may want to find another messaging app.