Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

GO SMS Pro Exposes Messages of Millions of Users

Popular messaging application GO SMS Pro is exposing the audio, video, and photo messages of its users, Trustwave’s SpiderLabs security researchers discovered.

Popular messaging application GO SMS Pro is exposing the audio, video, and photo messages of its users, Trustwave’s SpiderLabs security researchers discovered.

With over 100 million downloads to date, the Android application is used for communication purposes all over the world, providing users with a large number of personalization options, encryption, support for group chat, and various other capabilities.

In the summer of 2020, the SpiderLabs security researchers discovered that the application exposes media files that users transfer between one-another, and that even an unauthenticated attacker could have access to the exposed data.

The issue, the researchers explain, exists in the functionality that allows users to send private media to other people even if they do not have the GO SMS Pro application installed on their devices.

In such cases, the recipient receives the media file as a URL, via SMS, which would allow the recipient to view the content in a browser.

What SpiderLabs discovered was that the link can be accessed without authentication or authorization, meaning that anyone who knows the URL has access to the shared media.

What’s more, the researchers discovered that the link is sequential (hexadecimal) and predictable, and that the application generates the link regardless of whether the recipient has the application installed or not.

“As a result, a malicious user could potentially access any media files sent via this service and also any that are sent in the future. This obviously impacts the confidentiality of media content sent via this application,” the researchers say.

Advertisement. Scroll to continue reading.

Basically, an attacker in the possession of such a link could increment the value in the URL to view or listen to messages that other users might have shared between them.

The researchers also explain that an attacker could create a simple bash script to generate a list of URLs and then leverage it to steal large amounts of user data.

“By taking the generated URLs and pasting them into the multi-tab extension on Chrome or Firefox, it is trivial to access private (and potentially sensitive) media files sent by users of this application,” the researchers argue.

Trustwave says that, despite multiple attempts to contact the vendor, it hasn’t received a response to date. The vulnerability was initially reported on August 18, 2020, and publicly disclosed this week, after the vendor failed to acknowledge it or release a patch.

“It is highly recommended to avoid sending media files that you expect to remain private or that may contain sensitive data using this popular messenger app, at least until the vendor acknowledges this vulnerability and remediates it,” Trustwave says.

SecurityWeek too attempted to contact the developer but was unsuccessful. Emails returned an error message and the listed developer website does not appear to be functional.

Related: Facebook Pays $60,000 for Vulnerability in Messenger for Android

Related: Trend Micro Patches Vulnerabilities in InterScan Messaging Security Product

Related: Mimecast Acquires Messaging Security Provider MessageControl

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...