Popular Go SMS Pro app leaks details of millions of users

News
By published

Any file sent via Go SMS Pro could be intercepted

SMS messaging
(Image credit: Apple Inc)

One of Android’s most popular SMS messaging apps has a serious security flaw that the app developer does not appear to be interested in fixing. Photos, videos and any other type of file sent through Go SMS Pro, which has more than 100 million installs, is potentially at risk of being intercepted by a threat actor.

Back in August, security researchers at Trustwave discovered that when files were sent by a Go SMS Pro user to someone else that does not have the app, the file was sent to the app's servers and a web address created. This address was then sent via text to the recipient so they could view the file online without installing the app.

However, Trustwave found that the web addresses created were sequential, which makes them extremely predictable. Plus, web addresses were created every time a file was shared - even between two individuals that possessed the Go SMS Pro app.

Deadline passed

As is standard practice with vulnerability disclosures, Trustwave informed Go SMS Pro about the bug and gave them 90 days to issue a fix. That deadline passed, however, leaving the security researchers with little choice but to go public with the vulnerability.

“Trustwave attempted to contact the vendor multiple times since 18 August 2020 but did not receive any response,” a Trustwave security researcher explained. “As such, this vulnerability is still present and presents a risk to users. It is highly recommended to avoid sending media files that you expect to remain private or that may contain sensitive data using this popular messenger app, at least until the vendor acknowledges this vulnerability and remediates it.”

Although this particular vulnerability does not make it possible to target a particular user, it still remains possible to acquire highly sensitive information relatively easily. What’s more, a threat actor could potentially create a simple script that would allow them to acquire a huge number of media files in no time at all.

Via TechCrunch

Barclay Ballard
Barclay Ballard

Barclay has been writing about technology for a decade, starting out as a freelancer with ITProPortal covering everything from London’s start-up scene to comparisons of the best cloud storage services.  After that, he spent some time as the managing editor of an online outlet focusing on cloud computing, furthering his interest in virtualization, Big Data, and the Internet of Things. 

Latest in Security
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak
A major Keenetic router data leak could put a million households at risk
Code Skull
Interpol operation arrests 300 suspects linked to African cybercrime rings
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Multiple routers hit by new critical severity remote command injection vulnerability, with no fix in sight
Code Skull
This dangerous new ransomware is hitting Windows, ARM, ESXi systems
An abstract image of a lock against a digital background, denoting cybersecurity.
Critical security flaw in Next.js could spell big trouble for JavaScript users
Latest in News
Open AI
OpenAI unveiled image generation for 4o – here's everything you need to know about the ChatGPT upgrade
Apple WWDC 2025 announced
Apple just announced WWDC 2025 starts on June 9, and we'll all be watching the opening event
Hornet swings their weapon in mid air
Hollow Knight: Silksong gets new Steam metadata changes, convincing everyone and their mother that the game is finally releasing this year
OpenAI logo
OpenAI just launched a free ChatGPT bible that will help you master the AI chatbot and Sora
NetSuite EVP Evan Goldberg at SuiteConnect London 2025
"It's our job to deliver constant innovation” - NetSuite head on why it wants to be the operating system for your whole business
Monster Hunter Wilds
Monster Hunter Wilds Title Update 1 launches in early April, adding new monsters and some of the best-looking armor sets I need to add to my collection
More about security
cybersecurity

Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak

A major Keenetic router data leak could put a million households at risk
Marriage Story

7 romance movies I recommend streaming on Netflix, Hulu, and more to anyone who doesn’t like romance
See more latest
Most Popular
Asus NUC 15 Pro+
Asus unveils its most powerful mini PC to date — but I don't think the Intel-powered NUC 15 Pro+ will compete with Strix Halo models
HDD
Seagate teams with Nvidia to build an NVMe hard drive proof of concept, more than 3 years after its last effort
Open AI
OpenAI unveiled image generation for 4o – here's everything you need to know about the ChatGPT upgrade
NetSuite EVP Evan Goldberg at SuiteConnect London 2025
"It's our job to deliver constant innovation” - NetSuite head on why it wants to be the operating system for your whole business
Apple WWDC 2025 announced
Apple just announced WWDC 2025 starts on June 9, and we'll all be watching the opening event
Hornet swings their weapon in mid air
Hollow Knight: Silksong gets new Steam metadata changes, convincing everyone and their mother that the game is finally releasing this year
OpenAI logo
OpenAI just launched a free ChatGPT bible that will help you master the AI chatbot and Sora
Monster Hunter Wilds
Monster Hunter Wilds Title Update 1 launches in early April, adding new monsters and some of the best-looking armor sets I need to add to my collection
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Sony WF-C710N in blue glass on beige background
Sony WF-C710 earbuds land, and I think they'll be the 2025 budget buds to beat