GO SMS Pro, a common messaging app for Android with more than 100 million installs, has been discovered to have an unpatched security flaw that publicly exposes media transferred involving users, which includes personal voice messages, shots, and movies.”This implies any delicate media shared in between buyers of this messenger app is at risk of currently being compromised by an unauthenticated attacker or curious person,” Trustwave Senior Security Expert Richard Tan mentioned in a report shared with The Hacker News.According to Trustwave SpiderLabs, the shortcoming was noticed in model 7.91 of the app, which was launched on the Google Play Keep on February 18, 2020.
The cybersecurity firm stated it tried to get hold of the app makers a number of occasions given that August 18, 2020, without having getting a reaction.But checking the app’s changelog, GO SMS Pro been given an update (v7.92) on September 29, adopted by another subsequent update, which was published yesterday. The most current updates to the application, nonetheless, still isn’t going to tackle the weak spot described previously mentioned.
The vulnerability stems from the method media articles is displayed when recipients never have the GO SMS Pro app set up on their devices, main to probable publicity.”If the recipient has the GO SMS Pro application on their product, the media would be shown immediately within just the app,” Tan stated. “However, if the recipient does not have the GO SMS Pro application set up, the media file is despatched to the receiver as a URL by way of SMS. The user could then click on on the link and see the media file by means of a browser.”
Not only is this connection (e.g. “https://gs.3g.cn/D/dd1efd/w”) accessible to any one without prior authentication, the URL is generated irrespective of regardless of whether the receiver has the app put in, thereby letting a destructive actor to obtain any media information sent by means of the application.
Specially, by incrementing the sequential hexadecimal values in the URL (e.g., “https://gs.3g.cn/D/e3a6b4/w”), the flaw makes it possible to check out or pay attention to other media messages shared involving other buyers. An attacker can leverage this method to generate a checklist of URLs and steal consumer knowledge without their understanding.It is really likely that the flaw impacts the iOS model of GO SMS Pro as perfectly, but till there’s a resolve in spot, it is highly recommended to steer clear of sending media data files using the influenced messenger app.We have attained out to the developers of GO SMS Pro, and we will update the tale if we hear back again.
Found this article attention-grabbing? Abide by THN on Fb, Twitter and LinkedIn to go through additional special content we publish.
Some parts of this article are sourced from:
thehackernews.com