- Security researchers have found a vulnerability in popular messaging app GO SMS Pro
- Hackers can access media files like images, videos and audio using an exploit
- GO SMS Pro developers left the vulnerability unpatched for months before fixing it recently
A privacy issue has been found in popular third-party SMS app GO SMS Pro, which has over 100 million downloads. Security researchers at Trustwave have found that an attacker can potentially gain access to private messages, photos, and videos using a relatively simple exploit. GO SMS Pro v7.91 seems to be susceptible to the vulnerability. While exchanges between users are displayed within the app, non-users get a link that displays the contents of the message. The problem is that GO SMS Pro generates this link sequentially, meaning that tweaking the URL is enough to access messages intended for other users. A simple script that automatically harvests and pastes the incremented URLs should be enough for hackers to harvest large amounts of data.
The fact that even messages sent between two GO SMS Pro users can show up via a link makes matters infinitely worse. There is no way for users to determine if their information has been stolen. It is rather frustrating that the vulnerability existed for months, despite the researchers at SpiderLabs reaching out to GO SMS Pro developers. Thankfully, the app has not displayed an advisory message notifying users about the exploit. One can only hope that it has been fixed, as the developers are yet to confirm it officially.
The GO SMS Pro debacle sheds light on the sheer unreliability of some third-party SMS apps, especially ones developed by shady developers. Go SMS Pro has been downloaded over 100 million times on the Play Store, and there’s no way of telling how many users have been affected by this vulnerability. Following the discovery, Google pulled the GO SMS Pro app from the Play Store. If you have downloaded the app, it would be wise to delete it from your device.