Messaging app Go SMS Pro, which has over 100 million installs from the Google Play store, has a massive security flaw that potentially allows people to access the sensitive content you’ve sent using the app. And even though the app’s maker was informed about the issue months ago, they haven’t made updates to fix what’s going on.
To give you an idea of just how much information the app leaks, here’s what TechCrunch was able to find: “In viewing just a few dozen links, we found a person’s phone number, a screenshot of a bank transfer, an order confirmation including someone’s home address, an arrest record, and far more explicit photos than we were expecting, to be quite honest,” cybersecurity reporter Zack Whittaker says. Not great.
Here’s what’s going on: Go SMS Pro uploads every media file you send to the internet and makes those files accessible with a URL, according to a report by Trustwave. When you send a message with media via Go SMS Pro, such as a photo or video, the app uploads the content to its servers, creates a URL pointing to it, and sends that URL to the recipient. If the recipient also has Go SMS Pro, the content appears directly in the message — but the app still uploads the file and still creates that publicly accessible link on the internet.
That URL is where the trouble is. There’s no authentication required to look at the link, meaning that anyone who has it could view the content within. And the URLs generated by the app apparently have a sequential and predictable address, meaning that anyone can look at other files just by changing the right parts of the URL. Theoretically, you could even write a script to autogenerate sequential URLs so you could quickly find and browse through a lot of private content shared by people using Go SMS Pro.
Worse, the app’s developer has been unresponsive, so it’s unclear if this vulnerability will ever be fixed. Trustwave said it has contacted the developer four times since August 18th, 2020 to notify them about the vulnerability, with no response. TechCrunch tried emailing two email addresses connected to the app. An email to one address bounced back with a message that the inbox was full. Another email was opened but wasn’t replied to, and a follow-up email hasn’t been opened. The Verge attempted to reach the developer for comment through an email listed on the Play Store listing, but the email bounced back with a “recipient inbox full” message. And the developer’s website listed on the Play Store listing appears to be broken.
So if you’re using Go SMS Pro now and want to keep the things you share from being leaked onto the internet, you might want to find a different messaging app.