[German]There is an unpatched vulnerability in the GO SMS Pro app that exposes publicy voice messages, videos or photos sent between users. The developer has been contacted without success.
Advertising
GO SMS Pro is a popular messaging application for Android with more than 100 million installations. The app is available in the Google Play Store, for example.
Source: Google Play Store
The GO SMS Pro app allows users to send private media (photos, videos, voice messages) to other users just like other messenger applications. Once the recipient has installed the GO SMS Pro app on their device, the media sent will automatically appear within the app.
Source: Trustwave
However, if the recipient has not installed the GO SMS Pro application, the media file is sent to the recipient as a URL via SMS. The user could then click on the link and view the media file through a browser. Trustwave's security researcher Richard Tan has found a vulnerability in GO SMS Pro v7.91 and disclosed the whole thing in this blog post.
Advertising
He discovered that the link can be accessed without any authentication or authorization. This means that any user with the link can view the content. Furthermore, the URL link was sequential (hexadecimal) and predictable. In addition, when sharing media files, a link is generated regardless of the recipient where the application is installed.
As a result, a malicious user could potentially access all media files sent through this service, as well as those that will be sent in the future. This, of course, has implications for the confidentiality of media content sent through this application. All media such as private voice messages, video messages and photos that are transferred between users via the app are thus public and thus accessible to unauthorized persons. This means that any sensitive media exchanged between users of this Messenger app is at risk of being compromised by an unauthenticated attacker or inquisitive user.
It is not clear which other versions of the app are still affected. Trustwave's security researchers believe that this is likely to affect previous and possibly future versions of the app. The security researcher contacted the app developer on August 18, 2020, but did not receive an answer. After further unsuccessful attempts to contact him, he has now made the vulnerability public and reported it to The Hacker News.
