GO SMS Pro, an Android instant messaging app installed by over 100 million users is still found to be exposing the privately shared messages of its users even though the developer was working on a fix for the flaw responsible for the data leak for almost two weeks.
The flaw, which was discovered by researchers at Trustwave around three months ago was publicly disclosed on November 19. It enabled unauthenticated attackers to get unrestricted access to voice messages, videos, and photos privately shared by GO SMS Pro users.
Private files sent by users to their contacts who does not have GO SMS Pro installed can be accessed from the app’s servers using a shortened URL that redirects to a content delivery network (CDN) server used to store all shared messages.
But the shortened URLs sent to contacts without the app were sequentially generated each time files were shared between users and the media stored on the CDN server.
It made it easier to go through all these privately shared files, even without knowing the full list of shared URLs.
The shared files include photos of users’ cars, screenshots of other private messages and Facebook posts, videos and audio recordings, photos of sensitive documents, and even nude photos.
The researchers stated that by taking the generated URLs and pasting them into the multi-tab extension on Chrome or Firefox, it is trivial to access private and sensitive media files sent by users of this application.
A new version of the app was uploaded to the Play Store before the advisory was released and Google removed the app from the Play Store after the advisory was released.
On November 23rd, Google has reinstated the Play Store app with an updated version that same day.
Even after releasing new versions to address the flaw, the fix partially addresses the flaw exposing users’ private files since all media previously shared is still accessible — even though the sharing feature is no longer working in the latest version.
Those users who have already shared sensitive files using GO SMS Pro does not have any way to delete them from the app’s storage server.
So, it is possible for anyone to batch download them using a script that generates a list of addresses linking to photos and videos shared using vulnerable app versions.
It has been found that images downloaded from GO SMS Pro’s servers are already being shared on underground forums.
As of now, the app developers were not able to block access to millions of users’ private photos, videos, and voice messages uploaded before this flaw was partially addressed.
As a result, the users’ sensitive messages can be accessed by anyone using publicly available tools which cannot be fixed even if Google takes down the app from the Play Store.