[ad_1]
The Go SMS Pro messaging app, which has over 100 million installs from the Google Play Store, has a massive security hole that potentially allows users to access sensitive content you’ve sent using of the application. And even though the creator of the app was made aware of the problem months ago, they haven’t made any updates to fix what’s going on.
To give you an idea of how much information the app is leaking, here’s what TechCrunch was able to find: “By consulting a few dozen links, we found a person’s phone number, a screenshot of a wire transfer, an order confirmation including someone’s home address, an arrest file and photos that are much more explicit than we expected, to be completely honest, ”said cybersecurity reporter Zack Whittaker. Not great.
Here’s what’s happening: Go SMS Pro downloads every media file you send over the internet and makes those files accessible with a URL, according to a report from TrustWave. When you send a message with media through Go SMS Pro, like a photo or video, the app downloads the content to its servers, creates a URL pointing to it, and sends that URL to the recipient. If the recipient also has Go SMS Pro, the content appears directly in the message, but the app still downloads the file and still makes this publicly available link on the internet.
This URL is where the problem is. No authentication is required to view the link, which means anyone who has it can view the content it contains. And the URLs generated by the app seemingly have a sequential and predictable address, which means anyone can view other files just by changing the right parts of the URL. Theoretically, you can even write a script to automatically generate sequential URLs to quickly find and browse a large number of private content shared by Go SMS Pro users.
Worse yet, the app developer hasn’t responded, so it’s unclear whether this vulnerability will ever be patched. Trustwave said it had contacted the developer four times since August 18, 2020 to inform them of the vulnerability, with no response. TechCrunch tried to email two email addresses connected to the app. An email to an address was bounced with a message that the inbox was full. Another email was opened but was not answered, and a follow-up email was not opened. The edge tried to contact the developer for a comment via an email on the Play Store listing, but the email was resent with a “Recipient’s Inbox Full” message. And the developer’s website listed on the Play Store listing appears to be faulty.
So if you’re using Go SMS Pro now and want to prevent things you share from being leaked on the internet, you might want to find a different messaging app.
[ad_2]
Source link