If you are using Go SMS Pro, your photos can be accessed by literally anyone
Delete it right now and hope developers act quickly.
There are plenty of messaging apps out there, but one popular messaging app on Android is openly exposing your photos to anyone with a generated URL.
Discovered by TrustWave and reported on by TechCrunch, the Go SMS Pro app has a glaring security flaw that has yet to be patched and the developers are nowhere to be found. TrustWave first alerted the company of the issue 90 days ago, and still, even today, nothing has been done.
We’ve personally confirmed that the breach works and all it takes is a sequential URL to find images and videos that were sent through the app to other users with or without the app. We found bank information, personal pictures, and plenty of screenshots using the method. And that was only through five minutes of research plugging in random numbers.
If a hacker or data collector used an automated process to quickly scour and download every sequential possible, then it would take little to no time to collect mass amounts of potentially-harmful data.
The app is still available on the Google Play Store and has nearly 100 million downloads.
Karl Sigler, senior security research manager at Trustwave, tells TechCrunch that the hack makes it impossible to target individual users but that “[an] attacker can create scripts that could throw a wide net across all the media files stored in the cloud instance.”
Both TrustWave and TechCrunch have attempted to get a statement, or even a response, from Go SMS, and so far it has been radio silence.
So, needless to say, uninstall this app right now and hope that something is done about this glaringly easy hack and that stored images are removed quickly.
- Link previews can be used by hackers to expose valuable user information
- In a 197 IQ play, Trump’s campaign website was briefly hacked with a cryptocurrency scam
- iOS 14 can check if your passwords were breached – here’s how to use it
- Delete these two Google Chrome ad blockers – they’re riddled with malicious code