Security researchers have found a dangerous flaw in Go SMS Pro, which is one of the most popular messaging apps in the Android system from Google.
The researchers at Trustwave explained that the vulnerability in the Go SMS Pro application in the Android system displays photos, videos, and other files sent by users in particular. Worse yet, the app’s maker has not yet done anything about the vulnerability.
Trustwave researchers discovered the vulnerability last August, and contacted the app’s manufacturer, setting a 90-day deadline to fix the issue, as is standard practice in revealing vulnerabilities to allow sufficient time for repair. But after the deadline passed without hearing any response, researchers announced the vulnerability.
Trustwave shared its findings with TechCrunch this week.
The company explained that when a Go SMS Pro user sends an image, video, or other file to a person who has not installed the application in his device, the application uploads the file to its servers, and allows the user to share the web address by text message so that the recipient can see the file without installing The application. But researchers have found that these web addresses are sequential. This means that anyone who knows the predictable web address can navigate through millions of different user file web addresses.
It is reported that the number of times the Go SMS Pro application is more than 100 million downloads, according to Google Play application store lists.
TechCrunch verified the security company’s results and found – upon viewing dozens of links – the person’s phone number, a screenshot of the bank transfer, an order confirmation containing someone’s home address, arrest record, and much more.
Carl Siegler, chief security research director at Trustwave, said that while it was not possible to target any specific user, any file sent using the application is subject to public access.