Do you use the Go SMS Pro Android app? If so, you’ve got plenty of company. The app is one of the most popular on Google’s Play Store, boasting more than 100 million installs. That, unfortunately, is the problem. A few months ago, Trustwave discovered and disclosed a major flaw in the app that allowed unauthenticated attackers to gain unrestricted access to voice messages, videos, and photos that had been privately shared between Go SMS Pro users.
The problem stems from the fact that when users send messages to one another, they’re stored on Go SMS Pro servers and message recipients are given shortened URLs which directs them to the actual content.
Unfortunately, those URLs are generated sequentially, which of course means that any hacker who spends a bit of time experimenting can correctly deduce the next URL in the sequence and easily access content that was not intended for him or her. This opens literally all of the content shared by all the users of the app open to abuse. Once the shortened URL is deduced, it’s simply a matter of copying and pasting it into any browser.
The code team leapt into action and was quick to update the app with a version that promised to close that loophole. On November 20th, 2020, Google removed the old version and replaced it with the updated one.
Unfortunately, the latest version didn’t actually fix the problem. The new version disabled the share functionality so that no new content can be shared, but all of the previously shared materials are still on the server and can still be accessed. Worse, there’s absolutely nothing that an individual user can do to remove his or her previously shared content from the app’s servers. As word of the flaw has spread, hackers all over the world have been designing tools to download the content.
The bottom line is, if you use this app and you’ve shared sensitive files with anyone, odds are that one or more hackers now has a copy of whatever you shared.