The GO SMS Pro application is a popular messenger app with over 100 million downloads and was discovered to openly expose media transferred between users of the app. This exposure includes private voice messages, video messages, and photos.
This implies any sensitive media shared between users of this messenger app is in danger of being compromised by an unauthenticated attacker or curious user.
This defect was discovered on GO SMS Pro v7.91. It is unclear which other versions are affected but this is probable to affect previous, future versions also.
At this point, if the recipient does not have the GO SMS Pro app installed, the media file is sent to the recipient as a URL through SMS. The user could then click on the link and look at the media file through a browser.
The vulnerability Found in GO SMS Pro App
SpiderLabs found that the app permits users to share files with anyone no matter the recipient having the app installed. Accessing the link was also possible with none authentication or authorization. Moreover, the URL link was sequential (hexadecimal) and predictable.
As a result, a malicious user could potentially access any media files sent through this service. This affects the confidentiality of media content sent through this application.
The following demonstrates how an attacker could misuse this weakness to look at other users’ media content without authorization:
When a recipient receives an SMS text containing a media URL link sent from this app, the text message appears as follows:
Browsing to the above URL ( http://gs.3g(.)cn/D/dd1efd/w) would permit the recipient to view the voice message. Can view or listen to other media messages shared between other users, simply by incrementing the value in the URL.
A simple bash script might be used to generate a sample list of URLs using the predictable changes in the addresses. This will be pasted into the multi-tab extension on Chrome or Firefox for simple viewing.
It is trivial to sensitive media files sent by users of this application.
Trustwave made every effort to contact the vendor multiple times since 18 August 2020 but did not receive any response. As such, this vulnerability remains and presents a risk to users. It is highly recommended to avoid sending media files that you expect to stay private or which will contain sensitive data using this popular messenger app, at least until the vendor acknowledges this vulnerability and remediates it, says the report.