WARNING: Unpatched Bug in GO SMS Pro App Exposes Millions of Media Messages

GO SMS Pro, a popular messaging app for Android with over 100 million installs, has been found to have an unpatched security flaw that publicly exposes media transferred between users, including private voice messages, photos, and videos.

“This means any sensitive media shared between users of this messenger app is at risk of being compromised by an unauthenticated attacker or curious user,” Trustwave Senior Security Consultant Richard Tan said in a report shared with The Hacker News.

According to Trustwave SpiderLabs, the shortcoming was spotted in version 7.91 of the app, which was released on the Google Play Store on February 18, 2020.

The cybersecurity firm said it attempted to contact the app makers multiple times since August 18, 2020, without receiving a response.

But checking the app’s changelog, GO SMS Pro received an update (v7.92) on September 29, followed by another subsequent update, which was published yesterday. The latest updates to the app, however, still doesn’t address the weakness mentioned above.

The vulnerability stems from the manner media content is displayed when recipients don’t have the GO SMS Pro app installed on their devices, leading to potential exposure.

“If the recipient has the GO SMS Pro app on their device, the media would be displayed automatically within the app,” Tan said. “However, if the recipient does not have the GO SMS Pro app installed, the media file is sent to the recipient as a URL via SMS. The user could then click on the link and view the media file via a browser.”

Not only is this link (e.g. “https://gs.3g.cn/D/dd1efd/w”) accessible to anyone without prior authentication, the URL is generated irrespective of whether the recipient has the app installed, thereby allowing a malicious actor to access any media files sent via the app.

Specifically, by incrementing the sequential hexadecimal values in the URL (e.g., “https://gs.3g.cn/D/e3a6b4/w”), the flaw makes it possible to view or listen to other media messages shared between other users. An attacker can leverage this technique to generate a list of URLs and steal user data without their knowledge.

It’s likely that the flaw impacts the iOS version of GO SMS Pro as well, but until there’s a fix in place, it is highly recommended to avoid sending media files using the affected messenger app.

We have reached out to the developers of GO SMS Pro, and we will update the story if we hear back.