Skip to main content

New Android App Go SMS Pro Has Security Vulnerability

By December 16, 2020May 5th, 2022Cybersecurity

Do you use the Go SMS Pro Android app? If so, you’ve got plenty of company. The app is one of the most popular on Google’s Play Store, boasting more than 100 million installs. That, unfortunately, is the problem. A few months ago, Trustwave discovered and disclosed a major flaw in the app that allowed unauthenticated attackers to gain unrestricted access to voice messages, videos, and photos that had been privately shared between Go SMS Pro users.

The problem stems from the fact that when users send messages to one another, they’re stored on Go SMS Pro servers and message recipients are given shortened URLs which directs them to the actual content.

Unfortunately, those URLs are generated sequentially, which of course means that any hacker who spends a bit of time experimenting can correctly deduce the next URL in the sequence and easily access content that was not intended for him or her. This opens literally all of the content shared by all the users of the app open to abuse. Once the shortened URL is deduced, it’s simply a matter of copying and pasting it into any browser.

The code team leapt into action and was quick to update the app with a version that promised to close that loophole. On November 20th, 2020, Google removed the old version and replaced it with the updated one.

Unfortunately, the latest version didn’t actually fix the problem. The new version disabled the share functionality so that no new content can be shared, but all of the previously shared materials are still on the server and can still be accessed. Worse, there’s absolutely nothing that an individual user can do to remove his or her previously shared content from the app’s servers. As word of the flaw has spread, hackers all over the world have been designing tools to download the content.

The bottom line is, if you use this app and you’ve shared sensitive files with anyone, odds are that one or more hackers now has a copy of whatever you shared.

Chris Forte

Chris Forte, President and CEO of Olmec Systems, has been in the MSP workspace for the past 25 years. Chris earned his Master’s Degree from West Virginia University, graduating Magna Cum Laude. He was a past member of the Entrepreneurs’ Organization, a current member of the New Jersey Power Partners and Executive Association of New Jersey, where he has previously served on its board of directors. In his spare time, Chris enjoys traveling with his family. He also admits to being a struggling golfer and avid watcher of college football and basketball. He currently lives in Boonton Township, NJ with his wife, two daughters, son, and black lab Luna.