Trustwave researchers have discovered a vulnerability in the GO SMS Pro android application, installed more…
“As a result, a potential attacker is able to view these files without even knowing the URLs themselves and without any authentication”, – said the Trustwave expert.
Unfortunately, the problem is still relevant and the private messages of millions of users are available to anyone. The fact is that a new version of the app was uploaded to the Play Store the day before the Trustwave researchers’ report was published, and then, on November 20, Google removed the app from the Play Store (the day after the report was published).
Although the app was eventually restored, the researchers explain that the updated version only partially fixed the problem: all user media is still available, although content sharing is disabled in the latest version of GO SMS Pro.
Unfortunately, users who have already shared confidential files via GO SMS Pro do not have the option to delete them from the application servers. In essence, the developers of the application were unable to block access to millions of personal photos, videos and voice messages uploaded before the bug was partially fixed.
Therefore, anyone can still download these files using a simple script that generates a list of URLs that link to photos and videos published using vulnerable versions of the application.
“Unfortunately, we are seeing vigorous activity related to this vulnerability. Sites such as Pastebin and Github have more tools and scripts to exploit the problem than you might imagine”, — write Trustwave.
Although the GO SMS Pro developers are definitely aware of the problem and are even trying to fix it, Trustwave writes that they never received a reply from them to any of their emails.
Let me also remind you that a similar problem was found in WhatsApp: bug allows changing text of messages and sender’s identity.
News-bhexusa.xyz is a domain that tries to trick you into clik to its browser notifications…
News-bhupotu.xyz is a domain that tries to trick you into subscribing to its browser notifications…
News-bhocime.info is a site that tries to trick you into subscribing to its browser notifications…
You-hub.online is a site that tries to force you into clik to its browser notifications…
News-bhecudu.live is a domain that tries to force you into clik to its browser notifications…
News-bhiciwe.today is a site that tries to force you into clik to its browser notifications…