Go SMS Pro is leaking user data, fix still out of sight

Yolanda Curtis
November 21, 2020

One major option is GO SMS Pro, a messaging app that has been downloaded over 100 million times which means that it's certainly managed to attain a pretty significant level of success in the communication industry. "But after the deadline elapsed without hearing back, the researchers went public", said the report by TechCrunch. The app, named GO SMS Pro, looks just like an average messaging app, at the likes of Facebook Messenger, and promises to "encrypt messages & protect your privacy".

What's truly concerning is that the security researchers over at Trustwave informed the chat app's developer about this issue three months ago, but after not receiving a response to any of their numerous emails they chose to go public with this so that users can be informed and can avoid using this app or at the very least sharing any kind of multimedia through it. The Verge also discovered the website listed on the app's Play Store listing doesn't load.

"Security researchers at Trustwave discovered the flaw in August and contacted the app maker with a 90-day deadline to fix the issue, as is standard practice in vulnerability disclosure to allow enough time for a fix". A malicious person could easily start sifting through countless private images that were sent via the app, finding any random people's photos and media that they probably thought was privately shared between just one another.

"By taking the generated URLs and pasting them into the multi-tab extension on Chrome or Firefox, it is trivial to access private (and potentially sensitive) media files sent by users of this application", they explained.

To make matters even worse, we were alerted that our email bounced either because the developer's mailbox is full or because they are receiving way too many messages.

This exposure includes private voice messages, video messages, and photos.

When a user sends a multimedia message, the recipient can receive it even if they don't themselves have GO SMS Pro installed.

The researchers also found that the URLs used for media are sequential and predictable, making it easier to predict the next URL in the hexadecimal sequence. If the other user is not using the app, then you can send a link to them with a regular SMS, and then the user can view the file in the browser. However, the China-based company didn't respond and confirm whether the issue was fixed.

So, beware if you are also using a third-party messaging app. Data of millions of Go SMS Pro users is available on the web.

Other reports by iNewsToday