Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

GO SMS Pro Exposes Messages of Millions of Users

Popular messaging application GO SMS Pro is exposing the audio, video, and photo messages of its users, Trustwave’s SpiderLabs security researchers discovered.

Popular messaging application GO SMS Pro is exposing the audio, video, and photo messages of its users, Trustwave’s SpiderLabs security researchers discovered.

With over 100 million downloads to date, the Android application is used for communication purposes all over the world, providing users with a large number of personalization options, encryption, support for group chat, and various other capabilities.

In the summer of 2020, the SpiderLabs security researchers discovered that the application exposes media files that users transfer between one-another, and that even an unauthenticated attacker could have access to the exposed data.

The issue, the researchers explain, exists in the functionality that allows users to send private media to other people even if they do not have the GO SMS Pro application installed on their devices.

In such cases, the recipient receives the media file as a URL, via SMS, which would allow the recipient to view the content in a browser.

What SpiderLabs discovered was that the link can be accessed without authentication or authorization, meaning that anyone who knows the URL has access to the shared media.

What’s more, the researchers discovered that the link is sequential (hexadecimal) and predictable, and that the application generates the link regardless of whether the recipient has the application installed or not.

“As a result, a malicious user could potentially access any media files sent via this service and also any that are sent in the future. This obviously impacts the confidentiality of media content sent via this application,” the researchers say.

Basically, an attacker in the possession of such a link could increment the value in the URL to view or listen to messages that other users might have shared between them.

The researchers also explain that an attacker could create a simple bash script to generate a list of URLs and then leverage it to steal large amounts of user data.

“By taking the generated URLs and pasting them into the multi-tab extension on Chrome or Firefox, it is trivial to access private (and potentially sensitive) media files sent by users of this application,” the researchers argue.

Trustwave says that, despite multiple attempts to contact the vendor, it hasn’t received a response to date. The vulnerability was initially reported on August 18, 2020, and publicly disclosed this week, after the vendor failed to acknowledge it or release a patch.

“It is highly recommended to avoid sending media files that you expect to remain private or that may contain sensitive data using this popular messenger app, at least until the vendor acknowledges this vulnerability and remediates it,” Trustwave says.

SecurityWeek too attempted to contact the developer but was unsuccessful. Emails returned an error message and the listed developer website does not appear to be functional.

Related: Facebook Pays $60,000 for Vulnerability in Messenger for Android

Related: Trend Micro Patches Vulnerabilities in InterScan Messaging Security Product

Related: Mimecast Acquires Messaging Security Provider MessageControl

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.