Go SMS Pro Android app URL’s Openly shares content. Go SMS Pro Android app is one of the most popular on Google’s Play Store, boasting more than 100 million installs. Unfortunately, a few months ago, Trustwave discovered and disclosed a significant flaw in the Go SMS Pro Android app that allowed unauthenticated attackers to gain unrestricted access to voice messages, videos, and privately shared photos between Go SMS Pro users.
The problem stems from the fact that when Go SMS Pro users send messages to one another, Go SMS Pro stores their servers’ messages. The message recipients receive shortened URLs directing them to the actual content.
Unfortunately, those Go SMS Pro URLs generate sequentially, which of course means that any hacker who spends a bit of time experimenting can correctly deduce the next URL in the sequence and easily access other’s content. The sequential Go SMS Pro URLs open all of the content shared by all the app users subject to abuse. The shortened URL is easy to discover, and it’s merely a matter of copying and pasting it into any browser.
Quick Update
The code team was quick to update the Go SMS Pro app with a version promising to close that loophole. On November 20th, 2020, Google removes the old Go SMS Pro version and replaces it with the newer one.
Unfortunately, the latest Go SMS Pro version didn’t fix the problem. The new version disabled the share functionality so that no new content is shared, but all of the previously shared materials are still on the server and that anyone can access. Worse, there’s absolutely nothing that an individual user can do to remove their previously shared content from the app’s servers. As word of the flaw spreads, hackers worldwide have been designing tools to download the content.
The bottom line is if you use the Go SMS Pro app and you’re sharing sensitive files with anyone, the odds are that one or more hackers now has a copy.
