GO SMS Professional, a well known messaging application for Android with above 100 million installs, has been uncovered to have an unpatched safety flaw that publicly exposes media transferred between people, together with private voice messages, photographs, and videos.
“This indicates any delicate media shared amongst people of this messenger application is at threat of remaining compromised by an unauthenticated attacker or curious person,” Trustwave Senior Safety Marketing consultant Richard Tan stated in a report shared with The Hacker Information.
According to Trustwave SpiderLabs, the shortcoming was spotted in version 7.91 of the application, which was unveiled on the Google Enjoy Store on February 18, 2020.
The cybersecurity company explained it tried to get hold of the app makers multiple situations since August 18, 2020, without acquiring a reaction.
But checking the app’s changelog, GO SMS Pro received an update (v7.92) on September 29, adopted by a different subsequent update, which was published yesterday. The latest updates to the application, on the other hand, even now will not address the weakness outlined over.
The vulnerability stems from the method media articles is exhibited when recipients don’t have the GO SMS Professional app put in on their gadgets, leading to potential publicity.
“If the receiver has the GO SMS Pro application on their machine, the media would be exhibited mechanically in just the application,” Tan mentioned. “On the other hand, if the receiver does not have the GO SMS Professional app put in, the media file is sent to the recipient as a URL by means of SMS. The user could then simply click on the connection and look at the media file through a browser.”
Not only is this backlink (e.g. “https://gs.3g.cn/D/dd1efd/w”) obtainable to anybody without prior authentication, the URL is produced irrespective of no matter whether the recipient has the application installed, thereby letting a destructive actor to access any media information sent by using the app.
Specially, by incrementing the sequential hexadecimal values in the URL (e.g., “https://gs.3g.cn/D/e3a6b4/w”), the flaw can make it possible to check out or listen to other media messages shared involving other consumers. An attacker can leverage this technique to create a listing of URLs and steal user information without having their expertise.
It’s most likely that the flaw impacts the iOS variation of GO SMS Pro as properly, but until finally there is certainly a repair in area, it is hugely proposed to steer clear of sending media documents utilizing the afflicted messenger application.
We have attained out to the builders of GO SMS Pro, and we will update the tale if we listen to back.