Go SMS Pro is leaking user data, fix still out of sight

Go SMS Pro leaks data

Go SMS Pro leaks data

Go SMS Pro has more than 100 million installs, according to its listing in Google Play.

That's a huge privacy issue, but what's most alarming is that Go SMS Pro's developers don't appear to be rushing to fix the problem. Additionally, it has been found that when media files are shared using the app, a link gets generated regardless of the recipient having the app installed.

However, there's no authentication required to access these URLs, and worse, the file names/paths are sequential so it's trivial for a bad actor to enumerate through all possible URLs and download whatever GO SMS Pro users have been sending to each other - other cybersecurity researchers have done precisely this, and found all manner of information publicly available, from drivers licence photos, audio files and photos of things you wouldn't show your mother.

The vulnerability stems from the manner media content is displayed when recipients don't have the GO SMS Pro app installed on their devices, leading to potential exposure. However, the app has been revealed to possess a pretty serious flaw that has made it so that the multimedia that users share with one another through the app can become relatively easy to compromise.

Ambassador visits Canadians detained in China in Huawei case
His wife, Vina Nadjibulla, is spearheading efforts to have him released and returned home to Canada. The federal government says no further information can be disclosed about the meetings.

Even though there hasn't been a fix to the bug yet which will be able to protect your files that you have already sent. As mentioned above, the report claims that the researchers had contacted the app maker back in August and they haven't heard from them on this matter. Also, these links aren't restricted to Go SMS Pro users: anyone who knows the URL scheme of one link could easily extrapolate to find more.

After reports came out, Google did not take any action and just removed the app from Google Play Store.

Here's what's happening: All media files that you send via Go SMS Pro are saved to a server and assigned a URL. If the other user is not using the app, then you can send a link to them with a regular SMS, and then the user can view the file in the browser. Anyone can access the files which are shared by the app by just doing a few changes in the URL. However, the Guangzhou-based company didn't respond and confirm whether the issue was fixed. They can also connect to your Instagram DMs if you update your Instagram app, and you have the option to encrypt your conversations.

TechCrunch and TrustWave, both have tried reaching the developers of Go SMS Pro but none of them have received a response.

Recommended News

We are pleased to provide this opportunity to share information, experiences and observations about what's in the news.
Some of the comments may be reprinted elsewhere in the site or in the newspaper.
Thank you for taking the time to offer your thoughts.