The popular SMS messaging app for Android GO SMS Pro is still exposing the privately shared photos, videos and files of millions of users despite the fact that Trustwave researchers recently disclosed that the app has a major security flaw.
The cybersecurity firm discovered back in August that media files sent via GO SMS Pro are stored insecurely on a publicly accessible server that can be accessed using some very minor scripting. Although it isn’t possible to link the media files to specific users, those files that include faces, names or other identifying characteristics put the privacy of users at risk online.
A new version of GO SMS Pro was uploaded to the Play Store the day before Trustwave publicly disclosed that the app had a serious security flaw. Google then removed the app from its store but at the time of writing, version 7.94 of the app is available to download.
According to Trustwave, it appears that the app’s developer GOMO is trying to fix the issue but a complete fix is still not available. In version 7.93 of GO SMS Pro the ability to send media files has been completely disabled while version 7.94 allows users to upload media to the app but these files don’t appear to go anywhere when sent to another user.
Still vulnerable
Despite GOMO’s attempts to fix its app, Trustwave has confirmed that older media used to verify the original vulnerability is still available online. The exposed media files contain quite a bit of sensitive data including driver’s licenses, health insurance account numbers, legal documents and pictures of a more ‘romantic’ nature.
Cybercriminals are well aware of the flaw in GO SMS Pro and Trustwave has discovered numerous tools and scripts designed to exploit the vulnerability on sites such as Pastebin and GitHub. Several of these more popular tools are updated on a daily basis and the firm has also observed underground forums sharing images downloaded directly from the app’s servers.
Unfortunately, GOMO has been less than cooperative when it comes to working with Trustwave on fixing the vulnerability.
The developer has made some changes to GO SMS Pro but for the time being, Trustwave recommends that users “avoid sending media files that you expect to remain private or that may contain sensitive data using this popular messenger app”.
Comments are closed.