Popular Android messaging application Go SMS Pro contained a security vulnerability that is currently reportedly being exploited by threat actors. Among those compromised by the incident are private files and documents such as photos, videos, and the like.
Go SMS Pro is a messaging application that has more than 100 million users around the globe based on its Google Play Store listing.
The program operates by a user sending a photo, video, or another file via uploading this on the app. In turn, the app generates a web address via text message and sends it to the recipient without the latter being required to install the software.
However, upon further inspection of the incident, security researchers from Trustwave SpiderLabs said that the app is exposing these private files to other individuals or users.
In a statement on its blog, the team said, “SpiderLabs found that accessing the link was possible without any authentication or authorization, meaning that any user with the link is able to view the content. In addition, the URL link was sequential (hexadecimal) and predictable.”
The cybersecurity firm also maintains that since links are generated despite the end-user or recipient not having the app installed, malicious attackers could access media files provided they have access or knowledge about the said links.
Furthermore, The Verge reveals that any individual could access these files just by changing various parts of these links.
In an attempt to verify the issue, Tech Crunch launched its own investigation. The news site viewed a number of links, some of which showed a phone number, order confirmation with someone’s home address, a screenshot of a bank transfer, explicit photographs, and more.
When asked about the incident, senior security research manager at Trustwave Karl Sigler said to Tech Crunch that the app vulnerability does not target specific users. However, this still puts millions of users at risk since any file sent through the app can be accessed.
According to Trustwave SpiderLabs’ researchers, the security breach was first discovered earlier this year, around August 2020. Following the discovery of the app vulnerability, Trustwave reportedly reached out to the developer for a fix regarding the incident, giving the developer 90 days to issue a fix.
More than 90 days after the incident and without hearing from the developers of the messaging app, Tech Crunch states that the security researchers have had to go public with its findings.
The Verge states that the team behind Trustwave attempted to get in contact with the developers of Go SMS Pro four separate times, but failed to receive any response.