UPDATED 21:06 EST / NOVEMBER 19 2020

SECURITY

Messaging app with 100M installs exposes private data through poor security practices

Go SMS Pro, a messaging app with over 100 million Android installations, has been found to expose user data through poor security practices.

Discovered and publicized today by researchers at Trustwave SpiderLabs, the data is exposed because of the way the app sends media to nonusers. When both users have the app, Go SMS Pro sends media within the app itself.

But when the recipient doesn’t have Go SMS Pro, the app sends a URL via SMS that allows the nonuser to view the file sent. That’s where the issue arises.

The URL generated and sent to nonusers can be accessed without any authentication or authorization, meaning that the media sent is open to all and sundry. But that’s not the worst part. Go SMS Pro issues the URLs sequentially, making guessing a URL link easy.

“As a result, a malicious user could potentially access any media files sent via this service and also any that are sent in the future,” the researchers noted. “This obviously impacts the confidentiality of media content sent via this application.

The researchers said that they had attempted to contact the vendor of Go SMS Pro Aug. 18, then monthly since then, but had not received any response, noting that the vulnerability is still present. Using a test URL provided, then changing the sequencing numbers, SiliconANGLE was able to replicate the vulnerability quickly, finding a screenshot someone had sent to another user of their bank account balance at Scotiabank and in another case a love message. Potentially the exposed data could have been far worse and involved personally identifiable information.

“Here is another example where a mobile app user believes their photos and videos are protected and only accessible by intended recipients, while in reality they are left exposed,” Josh Bohls, founder of secure content capture company Inkscreen LLC, told SiliconANGLE. “This false sense of security can be exploited both on personal accounts and in the enterprise. Companies who do not provide secure managed solutions for employees to capture and share multimedia content will find themselves similarly exposed to liability and loss.”

Erich Kron, security awareness advocate at security awareness training firm KnowBe4 Inc., noted that this is another example of the dangers of trusting third-party apps and a lesson in how not to respond to reported security issues.

“This vendor uses no authentication to ensure that only the intended recipients can receive the multimedia files,” he said. “Instead, by using only a short, generated hex number to retrieve the file, they leave a huge number of people vulnerable to having private photos and data pilfered without their knowledge. More concerning is the thought that users may not even be aware of how to, or even have the ability to, delete these files once stored on the application developers’ servers.”

Images: Go SMS Pro/SiliconANGLE

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU