Go SMS Pro, the app with 100 million downloads, has a security vulnerability that makes it possible for anyone to access millions of photos and files. This generates a download link when a user sends a file to a contact who is not on the application. You just need to know this link to access the content of the message. The flaw was discovered on Go SMS Pro 7.91 but could well exist on other versions.
One of the world’s most popular messaging apps has a huge security breach. Discovered in August by security researchers at TrustWave, this one still does not seem to have been resolved, although it allows anyone to access millions of private photos and files. To do this, simply have the link generated by the application to 100 million users.
Indeed, when you send a file to a contact who does not have the application, the latter downloads it to its servers and shares a public url to get there. In fact, a link is generated as soon as a file is shared. However, no security measure is applied to these URLs, which are therefore accessible by everybody. Worse, these would not be exactly randomly generated, and would therefore be predictable.
Anyone can access millions of photos of Go SMS Pro users
No authorization or authentication is required to access the content of the link. Concretely, anyone who intercepted the URL or acquired it in any way will be able to retrieve the shared content. Although it is theoretically not possible to target a particular user, it is possible to “Create a script capable of searching through the net all files stored in the cloud”, according to Trustwave.
The researchers reported having been able to consult telephone numbers, bank details or even photos of an explicit nature. For now, the flaw has only been confirmed on the version 7.91 application, but it is possible that it is also present on earlier versions. For the time being, Go SMS Pro has not declared that it is working on a solution. With the data of 73 million Internet users already for sale on the dark web, so it is more than necessary to be careful about the content shared online.
Source : TrustWave