GO SMS Pro Exposes Private Messages and Multimedia files Shared Between its Users

The GO SMS Pro application is a popular messenger app with over 100 million downloads and was discovered to openly expose media transferred between users of the app. This exposure includes private voice messages, video messages, and photos.

This implies any sensitive media shared between users of this messenger app is in danger of being compromised by an unauthenticated attacker or curious user.

This defect was discovered on GO SMS Pro v7.91. It is unclear which other versions are affected but this is probable to affect previous, future versions also.

At this point, if the recipient does not have the GO SMS Pro app installed, the media file is sent to the recipient as a URL through SMS. The user could then click on the link and look at the media file through a browser.

The vulnerability Found in GO SMS Pro App

SpiderLabs found that the app permits users to share files with anyone no matter the recipient having the app installed.  Accessing the link was also possible with none authentication or authorization. Moreover, the URL link was sequential (hexadecimal) and predictable.

As a result, a malicious user could potentially access any media files sent through this service. This affects the confidentiality of media content sent through this application.

The following demonstrates how an attacker could misuse this weakness to look at other users’ media content without authorization:

When a recipient receives an SMS text containing a media URL link sent from this app, the text message appears as follows:

Browsing to the above URL ( http://gs.3g(.)cn/D/dd1efd/w) would permit the recipient to view the voice message. Can view or listen to other media messages shared between other users, simply by incrementing the value in the URL.

A simple bash script might be used to generate a sample list of URLs using the predictable changes in the addresses. This will be pasted into the multi-tab extension on Chrome or Firefox for simple viewing.

It is trivial to sensitive media files sent by users of this application.


Trustwave made every effort to contact the vendor multiple times since 18 August 2020 but did not receive any response. As such, this vulnerability remains and presents a risk to users. It is highly recommended to avoid sending media files that you expect to stay private or which will contain sensitive data using this popular messenger app, at least until the vendor acknowledges this vulnerability and remediates it, says the report.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Also Read

U.S. Fitness Chain Town Sports International Suffered Data Breach – More Than 600K Customers Affected

What is Data Breach and How to Prevent it?


Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.

Recent Posts

SSNDOB Marketplace Admin Jailed for Selling millions of Americans Data

In a resounding triumph for justice, U.S. District Judge Kathryn Kimball Mizelle has sentenced Vitalii…

11 hours ago

Is Your Online Store Hacked in a Carding Attack? Here’s an Action Plan to Protect

Hackers are plotting to benefit from the generosity of Halloween, Thanksgiving, and Christmas shoppers using…

14 hours ago

Google Researchers Find Out How ChatGPT Queries Can Collect Personal Data

The LLMs (Large Language Models) are evolving rapidly with continuous advancements in their research and…

14 hours ago

New Android Malware Employs Various Tactics to Deceive Malware Analyst

In the dynamic realm of mobile application security, cybercriminals employ ever more sophisticated forms of…

16 hours ago

DJvu Ransomware Mimic as Cracked Software to Compromise Computers

A recent campaign has been observed to be delivering DJvu ransomware through a loader that…

17 hours ago

Okta Hack: Threat Actors Downloaded all Customer Support System Users’ Data

In a pivotal update to the Okta security incident divulged in October 2023, Okta Security…

18 hours ago