Do you use the Go SMS Pro Android app?

If so, you've got plenty of company. The app is one of the most popular on Google's Play Store, boasting more than 100 million installs. That, unfortunately, is the problem. A few months ago, Trustwave discovered and disclosed a major flaw in the app that allowed unauthenticated attackers to gain unrestricted access to voice messages, videos, and photos that had been privately shared between Go SMS Pro users.

The problem stems from the fact that when users send messages to one another, they're stored on Go SMS Pro servers and message recipients are given shortened URLs that direct them to the actual content.

Easy to deduce shortened URLs

Unfortunately, those URLs are generated sequentially, which of course means that any hacker who spends a bit of time experimenting can correctly deduce the next URL in the sequence and easily access content that was not intended for him or her. This opens literally all of the content shared by all the users of the app open to abuse. Once the shortened URL is deduced, it's simply a matter of copying and pasting it into any browser.

The code team leaped into action and was quick to update the app with a version that promised to close that loophole. On November 20th, 2020, Google removed the old version and replaced it with the updated one.

Unfortunately, the latest version didn't actually fix the problem. The new version disabled the share functionality so that no new content can be shared, but all of the previously shared materials are still on the server and can still be accessed. Worse, there's absolutely nothing that an individual user can do to remove his or her previously shared content from the app's servers. As word of the flaw has spread, hackers all over the world have been designing tools to download the content.

Our perspective

The bottom line is if you use this app and you've shared sensitive files with anyone, odds are that one or more hackers now has a copy of whatever you shared.

~ As Hill Street Blues' Sgt. Esterhaus always advised: "Hey, let's be careful out there!" ~

 

By Denis Wilson

Cybersecurity Expert, Small Business Technology Consultant, Managed Services Provider, Managed IT Support

Thanks for reading this short post. For more tips on thriving with small business technology, check out the other blog posts at DWPIA Blogs. You can find us on LinkedIn, Facebook, and Twitter.

I am also a published author and speaker in cloud computing, work at home, and cybersecurity. I am working extensively with business and professional associations to provide small business technology education programs. Contact me if you would like me to speak at your association