Android users need to be aware of a serious security issue with a hugely popular Google Play Store app that’s been downloaded hundreds of millions of times. The Go SMS Pro app is a popular messaging service which has been downloaded by Android users more than 100million times from the Google Play Store. But security researchers have discovered a major vulnerability with the Android app that could expose private photos, videos and other files that have been sent by users.
And, according to a post by TechCrunch, the app’s makers have not fixed the issue despite being notified about in months ago.
In August security researchers from Singapore-based cybersecurity firm Trustwave discovered the flaw with Go SMS Pro and contacted the app makers about it.
Devs were given a 90-day deadline to close up the vulnerability before the security experts went public with their findings.
However, after this date passed without hearing back from the makers of the Android app Trustwave released details of their research.
In a post online, Trustwave said the flaw was discovered with Go SMS Pro version 7.91 – with older and future versions believed to be impacted too.
Like with other messaging apps, Go SMS Pro lets users of the programmes send private media such as photos, videos or files to one another.
However, the problem arises when someone using Go SMS Pro sends something to another Android user that doesn’t have this app installed.
When this happens, the media file is sent to the recipient as a URL instead of in the app – which allows the user receiving the file to click on a web link and open it in their browser.
However, researchers found these URLs were easy to predict as they were created sequentially.
So any nefarious party that knew how these URLs were created could easily tinker with them to access millions of different web addresses.
In their study online Trustwave said: “Accessing the link was possible without any authentication or authorisation, meaning that any user with the link is able to view the content.
“In addition, the URL link was sequential (hexadecimal) and predictable. Furthermore, when sharing media files, a link will be generated regardless of the recipient having the app installed.
“As a result, a malicious user could potentially access any media files sent via this service and also any that are sent in the future. This obviously impacts the confidentiality of media content sent via this application.”
While Karl Sigler, senior security research manager at Trustwave, told TechCrunch: “An attacker can create scripts that could throw a wide net across all the media files stored in the cloud instance”.
Trustwave said they have contacted the makers of the Go SMS Pro app multiple times since August 18 without receiving a response.
As a result, at the time of releasing their findings, Trustwave said the vulnerability still existed and presented a risk to users.
They advised anyone using the Go SMS Pro Android app against sending media files that they wished remained private or contained sensitive data until this issue was resolved.
