Android messaging app Go SMS Pro is exposing photos, videos and files sent privately by its users and the app maker has not done anything to secure the user data and fix the issue.
As per the report by Techcrunch, security researchers at Trustware discovered the flaw in August and contacted the app developer with a 90-day deadline to fix the issue, as per the standard practice in vulnerability disclosure to allow enough time for a fix, but after the deadline ended without hearing back from the app developer, the researcher decided to go public and shared their findings with Techcrunch this week.
The findings of the researchers reveals that when a Go SMS Pro user sends a photo, video or other file to someone who doesn’t have the app installed, the app uploads the file to its servers, and lets the user share a web address by text message so the recipient can see the file without installing the app. But the researchers found that these web addresses were sequential. In fact, any time a file was shared — even between app users — a web address would be generated regardless. That meant anyone who knew about the predictable web address could have cycled through millions of different web addresses to users’ files.
In the researchers findings Techcrunch found a person’s phone number, a screenshot of a bank transfer, an order confirmation including someone’s home address, an arrest record, and far more explicit photos in links that are created when user send a data.
According to the listings on Google Play Store, Go SMS Pro has more than 100 million installs.