Vulnerability in Android app GO SMS Pro leaks data exchanged between users

Trustwave researchers have discovered a vulnerability in the GO SMS Pro android application, installed more than 100,000,000 times.

“The GO SMS Pro application is a popular messenger app, and was discovered to publicly expose media transferred between users of the app. This exposure includes private voice messages, video messages, and photos. This means any sensitive media shared between users of this messenger app is at risk of being compromised by an unauthenticated attacker or curious user”, — write Trustwave researchers.

Attackers can even retrieve files from the application server that were intended for users who do not have GO SMS Pro installed on their devices. To do this, attackers need to use a shortened URL like https://gs.3g[.]cn/d/dd1efd/w, which is used to redirect to the CDN used by the application for shared files.

Such URLs are generated sequentially and predictably for each shared file when that content is stored on a CDN server. As a result, a potential attacker is able to view these files without even knowing the URLs themselves and without any authentication.

Bleeping Computer reporters checked the findings of the researchers by examining about 20 such links, among which were photos of users’ cars, screenshots of various messages, personal photos (including erotic ones), videos, audio and even photos of confidential documents.

“Creating a simple script that would quickly generate URL lists for photos, videos, and other custom files is a trivial task”, – the researchers note.

Trustwave specialists notified the developers of the problem on August 20, 2020, but they did not receive answers to three of their letters. As a result, the experts disclosed details of the vulnerability to the public.

Bleeping Computer notes that their attempts to contact the developers have also failed, and the company’s website is generally unavailable: instead, visitors see a message about the successful installation of the Tengine web server.

Let me also remind you that a similar problem was found in WhatsApp: bug allows changing text of messenges and sender’s identity, and from recent vulnerabilities: Firefox bug allowed stealing cookies from Android devices.