Go SMS Pro, one of the most famous messaging apps for Android, is exposing photos, films and distinct files sent privately with the aid of the use of its customers. Worse, the app maker has achieved now not anything to repair the worm.
Security researchers at Trustwave observed the flaw in August and contacted the app maker with a 90-day deadline to restore the problem, as is widespread exercise in vulnerability disclosure to allow sufficient time for a restore. But after the cut-off date elapsed without being attentive to the lower back, the researchers went public.
When a Go SMS Pro man or woman sends a picture, video or other record to a person who doesn’t have the app set up, the app uploads the report to its servers, and lets the user proportion an internet address via textual content message so the recipient can see the document without installing the app. But the researchers found that these net addresses had been sequential. In truth, any time a record becomes shared — even between app customers — an internet address can be generated regardless. That supposed everybody who knew about the predictable internet cope with must have cycled via masses of hundreds of various net addresses to users’ documents.
Go SMS Pro has more than one hundred million instals, in step with its list in Google Play.
TechCrunch tested the researcher’s findings. In viewing just a few dozen links, we determined someone’s telephone range, a screenshot of an economic organisation switch, an order affirmation together with someone’s domestic cope with, an arrest document, and far extra particular snap shots than we were looking forward to, to be quite sincere.
Karl Sigler, senior protection studies manager at Trustwave, said at the same time because it wasn’t possible to target any specific consumer, any report dispatched using the app is prone to public get right of entry to. “An attacker can create scripts that could throw a big internet at some stage in all the media files saved in the cloud instance,” he said.
We had about as a whole lot luck getting a response from the app maker as the researchers. TechCrunch emailed electronic mail addresses associated with the app. One email proper away bounced again saying the email couldn’t be brought because of a complete inbox. The different emails come to be opened, in keeping with our electronic mail open tracker, but a follow-up email modified into now not.
Since you would possibly now need a messaging app that protects your privateness, we have you protected.