Personal data — including photos, videos and other files — of users of the Go SMS Pro app is exposed, according to a report by TechCrunch that cites the findings of security researchers at Trustwave.
The report claims that that these photos, videos and other files were privately shared by users and the app maker apparently knows about it since August but “has done nothing to fix the bug.”
“Security researchers at Trustwave discovered the flaw in August and contacted the app maker with a 90-day deadline to fix the issue, as is standard practice in vulnerability disclosure to allow enough time for a fix. But after the deadline elapsed without hearing back, the researchers went public,” said the report by TechCrunch.
The app, that has more than 100 million installs on the app’s Google Play listing, is said to have exposed private voice messages, video messages, and photos publicly.
To understand the vulnerability, readers must note that this app allows users to share files with anyone regardless whether or not the recipient has the app or not. This it does by sharing a URL to the recipient via an SMS and clicking on this URL would allow the recipient to view the media file via a browser.
The researchers claim that their findings show that the app lets anyone access the link without any authentication, which means that anyone who gets the link can access the file. Additionally, it has been found that when media files are shared using the app, a link gets generated regardless of the recipient having the app installed.
“As a result, a malicious user could potentially access any media files sent via this service and also any that are sent in the future. This obviously impacts the confidentiality of media content sent via this application,” adds the research.
As mentioned above, the report claims that the researchers had contacted the app maker back in August and they haven’t heard from them on this matter.
“Trustwave attempted to contact the vendor multiple times since 18 August 2020 but did not receive any response. As such, this vulnerability is still present and presents a risk to users. It is highly recommended to avoid sending media files that you expect to remain private or that may contain sensitive data using this popular messenger app, at least until the vendor acknowledges this vulnerability and remediates it,” said the report.