Darknet

GO SMS Pro Exposes Private Messages and Multimedia files Shared Between its Users

The GO SMS Pro application is a popular messenger app with over 100 million downloads and was discovered to openly expose media transferred between users of the app. This exposure includes private voice messages, video messages, and photos.

This implies any sensitive media shared between users of this messenger app is in danger of being compromised by an unauthenticated attacker or curious user.

This defect was discovered on GO SMS Pro v7.91. It is unclear which other versions are affected but this is probable to affect previous, future versions also.

At this point, if the recipient does not have the GO SMS Pro app installed, the media file is sent to the recipient as a URL through SMS. The user could then click on the link and look at the media file through a browser.

The vulnerability Found in GO SMS Pro App

SpiderLabs found that the app permits users to share files with anyone no matter the recipient having the app installed.  Accessing the link was also possible with none authentication or authorization. Moreover, the URL link was sequential (hexadecimal) and predictable.

As a result, a malicious user could potentially access any media files sent through this service. This affects the confidentiality of media content sent through this application.

The following demonstrates how an attacker could misuse this weakness to look at other users’ media content without authorization:

When a recipient receives an SMS text containing a media URL link sent from this app, the text message appears as follows:

Browsing to the above URL ( http://gs.3g(.)cn/D/dd1efd/w) would permit the recipient to view the voice message. Can view or listen to other media messages shared between other users, simply by incrementing the value in the URL.

A simple bash script might be used to generate a sample list of URLs using the predictable changes in the addresses. This will be pasted into the multi-tab extension on Chrome or Firefox for simple viewing.

It is trivial to sensitive media files sent by users of this application.

Conclusion

Trustwave made every effort to contact the vendor multiple times since 18 August 2020 but did not receive any response. As such, this vulnerability remains and presents a risk to users. It is highly recommended to avoid sending media files that you expect to stay private or which will contain sensitive data using this popular messenger app, at least until the vendor acknowledges this vulnerability and remediates it, says the report.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Also Read

U.S. Fitness Chain Town Sports International Suffered Data Breach – More Than 600K Customers Affected

What is Data Breach and How to Prevent it?

Guru Baran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

KnowBe4 Hired Fake North Korean IT Worker, Catches While Installing Malware

Security awareness and training provider KnowBe4 recently disclosed that it inadvertently hired a fake North…

5 mins ago

Pentagon IT Service Provider Hacked: U.S. Government Secrets Exposed

Leidos Holdings Inc., one of the largest IT services providers to the U.S. government, experienced…

6 hours ago

Top Phishing Campaigns in July 2024: SharePoint Abuse, DeerStealer, and More

July saw a new influx of phishing and malware campaigns. The analyst team at ANY.RUN…

18 hours ago

IPFire Unveils New Feature to Protect Systems from SYN Flood Attacks

IPFire, a well-known open-source firewall solution, has introduced a new feature to protect systems from…

20 hours ago

Hackers Abuse Cloudflare WARP To Hijack Cloud Services

Recently, it has been observed that several campaigns are using Cloudflare's WARP service to target…

21 hours ago

Wiz Rejects Google’s $23 Billion Deal

Wiz, the $12 billion cloud security startup, has rejected a $23 billion acquisition offer from…

23 hours ago