GO SMS Pro Exposes Messages of Millions of Users
Popular messaging application GO SMS Pro is exposing the audio, video, and photo messages of its users, Trustwave’s SpiderLabs security researchers discovered.
With over 100 million downloads to date, the Android application is used for communication purposes all over the world, providing users with a large number of personalization options, encryption, support for group chat, and various other capabilities.
In the summer of 2020, the SpiderLabs security researchers discovered that the application exposes media files that users transfer between one-another, and that even an unauthenticated attacker could have access to the exposed data.
The issue, the researchers explain, exists in the functionality that allows users to send private media to other people even if they do not have the GO SMS Pro application installed on their devices.
In such cases, the recipient receives the media file as a URL, via SMS, which would allow the recipient to view the content in a browser.
What SpiderLabs discovered was that the link can be accessed without authentication or authorization, meaning that anyone who knows the URL has access to the shared media.
What’s more, the researchers discovered that the link is sequential (hexadecimal) and predictable, and that the application generates the link regardless of whether the recipient has the application installed or not.
“As a result, a malicious user could potentially access any media files sent via this service and also any that are sent in the future. This obviously impacts the confidentiality of media content sent via this application,” the researchers say.
Basically, an attacker in the possession of such a link could increment the value in the URL to view or listen to messages that other users might have shared between them.
The researchers also explain that an attacker could create a simple bash script to generate a list of URLs and then leverage it to steal large amounts of user data.
“By taking the generated URLs and pasting them into the multi-tab extension on Chrome or Firefox, it is trivial to access private (and potentially sensitive) media files sent by users of this application,” the researchers argue.
Trustwave says that, despite multiple attempts to contact the vendor, it hasn’t received a response to date. The vulnerability was initially reported on August 18, 2020, and publicly disclosed this week, after the vendor failed to acknowledge it or release a patch.
“It is highly recommended to avoid sending media files that you expect to remain private or that may contain sensitive data using this popular messenger app, at least until the vendor acknowledges this vulnerability and remediates it,” Trustwave says.
SecurityWeek too attempted to contact the developer but was unsuccessful. Emails returned an error message and the listed developer website does not appear to be functional.