While most users get by using the SMS app that comes with their phone, some people go looking for more features and more than 100 million people around the world have turned to GO SMS Pro to meet their needs.
However, according to a report from Trustwave, a vulnerability has been discovered in the way GO SMS Pro shares media files which leaves virtually of them open to being downloaded by anyone on the internet. Photos, videos, audio files and voice messages can all be accessed through this vulnerability, and according to Trustwave, the company behind GO SMS Pro hasn’t been especially responsive.
The issue comes from the way GO SMS Pro shares media files; instead of sending them using MMS (where they travel via carrier systems that are relatively more secure), GO SMS Pro uploads media files to a server hosted in China and then embeds the URL in the SMS message subsequently sent.
If recipients have GO SMS Pro, they don’t see this URL, just the media file – and so they’re none the wiser. However, if they don’t use GO SMS Pro, they receive an URL which looks like this:
Clicking that URL will show them the media file. However, there’s no authentication required to access these URLs, and worse, the file names/paths are sequential so it’s trivial for a bad actor to enumerate through all possible URLs and download whatever GO SMS Pro users have been sending to each other – other cybersecurity researchers have done precisely this, and found all manner of information publicly available, from drivers licence photos, audio files and photos of things you wouldn’t show your mother.
Trustwave has attempted to contact the company behind GO SMS Pro to alert them to the issue and to seek comment, but hasn’t – at the time of writing – been successful in obtaining a response. We note, though, that the URLs given in Trustwave’s advisory do not appear to work and – from what we can see – it’s possible that the questionable webserver in question has been taken offline for the time being while the company makes some changes.