The GO SMS Pro chat app filters chats, files and photos from 100 million users. Erase it now

Security specialists have detected that GO SMS Pro, a messaging app for Android devices with over 100 million installations, is filtering private media files that have been shared among its users. Exploiting an application flaw, threat actors could access voice messages, videos and private photos, the report prepared by Trustwave researchers’ mentions.

La imagen tiene un atributo ALT vacío; su nombre de archivo es gosmspro02.jpg

In addition, experts discovered that it is possible to access files sent to users who do not have the application installed on their devices using the application’s servers and using a redirect URL to a Content Delivery Network (CDN) server where GO SMS Pro stores the shared files.

These URLs are generated sequentially each time a file is shared between users, ending up stored on the CDN. This makes it very easy for any user to review all private files shared by service users, even without knowing any of the shared URLs.

Multiple members of the cybersecurity community have confirmed Trustwave’s findings, analyzing dozens of exposed links that redirect to car images, photographs of confidential documents, screenshots and all kinds of intimate images and videos. As if that weren’t, it’s relatively easy to exploit this flaw, as only a simple script is required that quickly generates a list of addresses to link to the vulnerable application.

It’s been 90 days since investigators reported this flaw without getting an answer, so the process of public disclosure of the vulnerability has begun. Although other security firms have been trying to contact GO SMS Pro developers for months, no one in the company has responded.

La imagen tiene un atributo ALT vacío; su nombre de archivo es gosmspro01.jpg

To make matters worse, many of the emails sent to the company have bounced, either because the developer’s mailbox is full or because they are getting too many messages. The developer’s website is also not available at this time, and customers who wish to visit it see a successful installation message from the Tengine web server instead of the site content.