The researchers who discovered the vulnerability repeatedly tried to contact the developer, but to no avail.With over 100 million downloads, the Android instant messaging app GO SMS Pro contains a vulnerability that allows outsiders to steal media from someone else's correspondence. According to specialists of the information security company Trustwave, an unauthorized attacker can gain access to personal voice messages, videos and photos sent through the GO SMS Pro application.
Media files sent to recipients who do not have the GO SMS Pro messenger installed on their smartphones are available on the application servers via a shortened link that redirects the recipient to a server in the content delivery network (CDN) where user files are stored. Shortened links are generated sequentially (using a hexadecimal counter) each time a file is uploaded, so anyone can view other people's files even without linking to them. As the experts explained, it will not be difficult for attackers to write a simple script to quickly compile a list of addresses associated with photos and videos sent via GO SMS Pro.
"By pasting the generated URLs into multi-tab extensions in Chrome or Firefox, you can easily access personal (and potentially sensitive) media submitted by users of the application," the researchers explained.
Trustwave specialists disclosed the vulnerability 90 days after they notified the GO SMS Pro developer about it. The researchers made their first attempt to contact him on August 18, but received no response. Then they sent a letter in September, October and November, but also to no avail.