Go SMS Pro, a messaging app with over 100 million Android installations, has been found to expose user data through poor security practices.

Discovered and publicized today by researchers at Trustwave SpiderLabs, the data is exposed because of the way the app sends media to nonusers. When both users have the app, Go SMS Pro sends media within the app itself.

But when the recipient doesn’t have Go SMS Pro, the app sends a URL via SMS that allows the nonuser to view the file sent. That’s where the issue arises.

The URL generated and sent to nonusers can be accessed without any authentication or authorization, meaning that the media sent is open to all and sundry. But that’s not the worst part. Go SMS Pro issues the URLs sequentially, making guessing a URL link easy.

“As a result, a malicious user could potentially access any media files sent via this service and also any that are sent in the future,” the researchers noted. “This obviously impacts the confidentiality of media content sent via this application.

The researchers said that they had attempted to contact the vendor of Go SMS Pro Aug. 18, then monthly since then, but had not received any response, noting that the vulnerability is still present. Using a test URL provided, then changing the sequencing numbers, SiliconANGLE was able to replicate the vulnerability quickly, finding a screenshot someone had sent to another user of their bank account balance at Scotiabank and in another case a love message. Potentially the exposed data could have been far worse and involved personally identifiable information.

“Here is another example where a mobile app user believes their photos and videos are protected and only accessible by intended recipients, while in reality they are left exposed,” Josh Bohls, founder of secure content capture company Inkscreen LLC, told SiliconANGLE. “This false sense of security can be exploited both on personal accounts and in the enterprise. Companies who do not provide secure managed solutions for employees to capture and share multimedia content will find themselves similarly exposed to liability and loss.”

Erich Kron, security awareness advocate at security awareness training firm KnowBe4 Inc., noted that this is another example of the dangers of trusting third-party apps and a lesson in how not to respond to reported security issues.

“This vendor uses no authentication to ensure that only the intended recipients can receive the multimedia files,” he said. “Instead, by using only a short, generated hex number to retrieve the file, they leave a huge number of people vulnerable to having private photos and data pilfered without their knowledge. More concerning is the thought that users may not even be aware of how to, or even have the ability to, delete these files once stored on the application developers’ servers.”

Images: Go SMS Pro/SiliconANGLE