Security researchers at Singaporean cyber-security firm Trustwave discovered the flaw in Go SMS Pro that publicly exposes media files transferred between its users. The app allows users to send media files such as photos and videos to others, just like any other messaging app. If the recipient doesn’t have Go SMS Pro installed on their devices, the media file is shared with them as a URL via regular SMS. This link lets the recipient view the media file using a Web browser.
The researchers, as reported by TechCrunch, found that the links sent through Go SMS Pro were sequential and could be predicted by someone who knows how it generates links. This means that a bad actor could be able to access the files shared by any Go SMS Pro user by simply changing some parts of the URL generated by the app.
Trustwave researchers found the issue particularly on the Go SMS Pro version 7.91, though they mentioned in a blog post that it was still in place. TechCrunch’s Zack Whittaker mentioned in his report that after looking at a few dozen links, he spotted a person’s phone number, a screenshot of a bank transfer, and an order confirmation that included an individual’s home address, among other details.
Go SMS Pro creator GOMO Apps was reached out by Trustwave researchers shortly after they discovered the flaw in August. However, the Guangzhou-based company didn’t respond and confirm whether the issue was fixed.
TechCrunch reported that it tried reaching out to the Go SMS Pro maker by emailing on two addresses connected to the app. However, an email sent to one address bounced back with a message that the inbox was full, while another email was received but wasn’t responded and a follow-up was not even opened.
Gadgets 360 also sent an email to GOMO Apps for comment on the issue but didn’t receive any response at the time of filing this story.
The Go SMS Pro app is no longer available for download from Google Play. It may, however, still be there on millions of devices where it was installed before its removal. The app also appears to still be live in some regions as a link for the US location was showing its listing on Google Play, though it’s not accessible in India.
That said, if you’re among the users of Go SMS Pro, you should consider switching to a different app.
In 2020, will WhatsApp get the killer feature that every Indian is waiting for? We discussed this on Orbital, our weekly technology podcast, which you can subscribe to via Apple Podcasts or RSS, download the episode, or just hit the play button below.