Security researchers at Trustwave discovered the flaw in August and contacted the app maker with a 90-day deadline to fix the issue, as is standard practice in vulnerability disclosure to allow enough time for a fix. But after the deadline elapsed without hearing back, the researchers went public.
Trustwave shared its findings with TechCrunch this week.
This weakness was discovered on GO SMS Pro v7.91. It is unclear which other versions are affected but we believe this is likely to affect previous and potentially future versions as well. The GO SMS Pro application, like other messenger apps, allows users to send private media to other users as demonstrated below. If the recipient has the GO SMS Pro app on their device, the media would be displayed automatically within the app.
However, if the recipient does not have the GO SMS Pro app installed, the media file is sent to the recipient as a URL via SMS. The user could then click on the link and view the media file via a browser.
SpiderLabs found that accessing the link was possible without any authentication or authorization, meaning that any user with the link is able to view the content. In addition, the URL link was sequential (hexadecimal) and predictable. Furthermore, when sharing media files, a link will be generated regardless of the recipient having the app installed. As a result, a malicious user could potentially access any media files sent via this service and also any that are sent in the future. This obviously impacts the confidentiality of media content sent via this application.