Delete 'Go SMS Pro' From Your Android Now

Remigio Civitarese
Novembre 21, 2020

GO SMS Pro, an Android instant messaging application with over 100 million installs, is publicly exposing private multimedia files shared between its users.

But checking the app's changelog, GO SMS Pro received an update (v7.92) on September 29, followed by another subsequent update, which was published yesterday. The app, named GO SMS Pro, looks just like an average messaging app, at the likes of Facebook Messenger, and promises to "encrypt messages & protect your privacy".

"However, if the recipient does not have the GO SMS Pro app installed, the media file is sent to the recipient as a URL via SMS". If you're one of the many millions of people who have already installed it, stop using the app and delete it-and tell any contacts who use it to do the same.

Apart from leaking messages, it also leaked private photos, financial transaction details, private messages, all part of SMS, on the web.

To make matters even worse, we were alerted that our email bounced either because the developer's mailbox is full or because they are receiving way too many messages.

Here's what's happening: All media files that you send via Go SMS Pro are saved to a server and assigned a URL.

In addition, the URL link was sequential (hexadecimal) and predictable.

After reports came out, Google did not take any action and just removed the app from Google Play Store.

However, according to a report from Trustwave, a vulnerability has been discovered in the way GO SMS Pro shares media files which leaves virtually of them open to being downloaded by anyone on the internet. Using a test URL provided, then changing the sequencing numbers, SiliconANGLE was able to replicate the vulnerability quickly, finding a screenshot someone had sent to another user of their bank account balance at Scotiabank and in another case a love message. In August, the security researcher Trustwave discovered the flaw and asked the app-maker to fix it.

"By taking the generated URLs and pasting them into the multi-tab extension on Chrome or Firefox, it is trivial to access private (and potentially sensitive) media files sent by users of this application", they explained. However, the Guangzhou-based company didn't respond and confirm whether the issue was fixed.

Trustwave researchers found the issue particularly on the Go SMS Pro version 7.91, though they mentioned in a blog post that it was still in place.

Altre relazioniGrafFiotech

Discuti questo articolo

Segui i nostri GIORNALE