The Go SMS Pro service, a popular messaging app on Android, is the victim of a major security breach, researchers have reported.
Researchers from TrustWave have discovered a major security flaw in the GO SMS Pro app. This popular messaging app has over 100 million downloads from the Android system’s Play Store.
In practice, every time a user sends a message through the app to share a photo, video, audio message, or other file, the content is uploaded to the company’s servers and shared via a link. The latter can be sent to someone who does not own the app so that they can access the content of the message. This is where the problem lies. No security measure is applied to this link, which is also not generated randomly, but is of the sequential type. It is therefore possible for an attacker to guess web addresses and access a large amount of content that is supposed not to be public. It is not necessary to authenticate or obtain authorization to access it.
The researchers also demonstrated that it was possible to create a script “capable of searching the Net for all files stored in the cloud”. By verifying the information of these security experts, the specialized site TechCrunch was able to get hold of, among other things, explicit photos, a person’s phone number, a screenshot of a bank transfer, an order confirmation that included a home address, as well as a report of arrest.
The discovery took place last August. The researchers then contacted the publisher of the app and waited the usual 90 days before publishing their find, the time to allow the GO SMS Pro platform to correct the problem. But the app developers have not yet deployed a fix or responded to the report, reports TechCrunch.