This messaging app uploads every file you send to the internet

Go SMS Pro is a messaging app the has over 100 million downloads from the Google Play Store. However, it has a massive security flaw where people can potentially access the sensitive data you are sending via this app. Go SMS Pro was notified about the issue months ago but there were no updates to fix the problem.

Techcrunch has carried out a little investigation on the app and found that “In viewing just a few dozen links, we found a person’s phone number, a screenshot of a bank transfer, an order confirmation including someone’s home address, an arrest record, and far more explicit photos than we were expecting, to be quite honest.” Does not sound too good right?

Why does this happen though? Go SMS Pro uploads media files to the internet, and these files are accessible with a URL according to Trustwave. When you send a photo or video with the app, the contents are uploaded to its servers and a URL is created which is sent to the recipient. If the recipient has Go SMS Pro, the content appears directly in the message, but the file still uploads creating a publicly accessible link on the internet.

No authentication is required to look at the link, meaning that anyone who has access to the link can view it. The sequential and predictable addresses in the URL make it easy for people to find other files just by changing some parts of the URL.

Moreover, the developers of the app have been unresponsive, so its not clear if it will ever be fixed. The developer was contacted four times, by Trustwave, since August 18th, 2020 notifying them about the vulnerability, with no response.

In case you are using Go SMS Pro, you might want to change your messaging app.

Leave a Reply

Your email address will not be published. Required fields are marked *