Security specialists have detected that GO SMS Pro, a messaging app for Android devices with over 100 million installations, is filtering private media files that have been shared among its users. Exploiting an application flaw, threat actors could access voice messages, videos and private photos, the report prepared by Trustwave researchers’ mentions.
In addition, experts discovered that it is possible to access files sent to users who do not have the application installed on their devices using the application’s servers and using a redirect URL to a Content Delivery Network (CDN) server where GO SMS Pro stores the shared files.
These URLs are generated sequentially each time a file is shared between users, ending up stored on the CDN. This makes it very easy for any user to review all private files shared by service users, even without knowing any of the shared URLs.
Multiple members of the cybersecurity community have confirmed Trustwave’s findings, analyzing dozens of exposed links that redirect to car images, photographs of confidential documents, screenshots and all kinds of intimate images and videos. As if that weren’t, it’s relatively easy to exploit this flaw, as only a simple script is required that quickly generates a list of addresses to link to the vulnerable application.
It’s been 90 days since investigators reported this flaw without getting an answer, so the process of public disclosure of the vulnerability has begun. Although other security firms have been trying to contact GO SMS Pro developers for months, no one in the company has responded.
To make matters worse, many of the emails sent to the company have bounced, either because the developer’s mailbox is full or because they are getting too many messages. The developer’s website is also not available at this time, and customers who wish to visit it see a successful installation message from the Tengine web server instead of the site content.
He is a cyber security and malware researcher. He studied Computer Science and started working as a cyber security analyst in 2006. He is actively working as an cyber security investigator. He also worked for different security companies. His everyday job includes researching about new cyber security incidents. Also he has deep level of knowledge in enterprise security implementation.