The vulnerable version of the app, which has 100 million users, uses easily predictable URLs to link to private content.
A security weakness discovered in the GO SMS Pro Android app can be exploited to publicly expose media sent using the app, according to researchers.
The GO SMS Pro application is a popular messenger app with more than 100 million downloads from the Google Play store. Researchers at Trustwave SpiderLabs said that private voice messages, videos messages and photos are all at risk of being compromised by a trivially exploitable flaw in version 7.91.
When a user sends a multimedia message, the recipient can receive it even if they don’t themselves have GO SMS Pro installed. In that case, the media file is sent to the recipient as a URL via SMS, so the person can click on the link to view the media file in a browser window.
“SpiderLabs found that accessing the link was possible without any authentication or authorization, meaning that any user with the link is able to view the content,” researchers explained in a Thursday posting.
In and of itself, this could be exploitable via a piece of SMS-parsing malware or a browser-based info-stealer. But the researchers also found that the URLs used for media are sequential and predictable.
So, by predicting the next URL in the hexadecimal sequence, a malicious user could view any number of users’ media without consent.
“[They could ] potentially access any media files sent via this service and also any that are sent in the future,” researchers noted. “By incrementing the value in the URL, it is possible to view or listen to other media messages shared between other users.”
A simple bash script could be used to generate a sample list of URLs using the predictable changes in the addresses, they added, which can simply be pasted into the multi-tab extension on Chrome or Firefox for easy viewing.
The saving grace is that an attacker would not be able to link the media back to a specific user, unless the media file itself leaks a person’s identity.
“For instance, a profile picture can be searched for using reverse image search, a driver’s license image or legal documents will have personally identifiable information (PII) that can be used to tie the image to specific people, etc.,” Karl Sigler, senior security research manager at SpiderLabs, told Threatpost. “However, a random picture of a sunset will likely not be easily traced back to a person.”
It is nonetheless a concerning bug, Sigler added. He said that because an attacker can’t directly target specific users, “I wouldn’t consider this a critical severity…but the wide net that can be thrown around potentially sensitive data certainly justifies a high severity.”
This weakness was confirmed in GO SMS Pro v7.91, as mentioned — but the developer released a new version (v.7.93) on Wednesday. SpiderLabs has not yet tested this new iteration of the app (but Sigler said he plans to), nor did the developer ever acknowledge the bug despite multiple attempts at contact starting in mid-August, researchers said.
A fix would include adding proper access controls in the cloud instance, implementing longer unique IDs in the URL that will prevent sequential walking through the data, or simply taking down the cloud instance entirely until the issue can be addressed, according to Sigler.
Users should upgrade to the latest version in case it addresses the bug, but to ensure that content remains private, “it is highly recommended to avoid sending media files via the app that you expect to remain private or that may contain sensitive data using this popular messenger app, at least until the vendor acknowledges this vulnerability and remediates it,” according to SpiderLabs.
Threatpost reached out to the developer for more information on whether the new version patches the issue — all mailboxes were full.
“This should not be common and but inexperienced developers could easily let something like this slip,” Sigler said. “This is why it’s important to add in security testing to any application development lifecycle.”