Android customers want to pay attention to a severe safety subject with a massively fashionable Google Play Retailer app that is been downloaded a whole bunch of tens of millions of instances. The Go SMS Professional app is a well-liked messaging service which has been downloaded by Android customers greater than 100million instances from the Google Play Retailer. However safety researchers have found a significant vulnerability with the Android app that might expose non-public photographs, movies and different recordsdata which were despatched by customers.
And, in keeping with a post by TechCrunch, the app’s makers haven’t fastened the difficulty regardless of being notified about in months in the past.
In August safety researchers from Singapore-based cybersecurity agency Trustwave found the flaw with Go SMS Professional and contacted the app makers about it.
Devs got a 90-day deadline to shut up the vulnerability earlier than the safety specialists went public with their findings.
Nevertheless, after this date handed with out listening to again from the makers of the Android app Trustwave launched particulars of their analysis.
In a post on-line, Trustwave mentioned the flaw was found with Go SMS Professional model 7.91 – with older and future variations believed to be impacted too.
Like with different messaging apps, Go SMS Professional lets customers of the programmes ship non-public media comparable to photographs, movies or recordsdata to 1 one other.
Nevertheless, the issue arises when somebody utilizing Go SMS Professional sends one thing to a different Android consumer that does not have this app put in.
When this occurs, the media file is shipped to the recipient as a URL as a substitute of within the app – which permits the consumer receiving the file to click on on an internet hyperlink and open it of their browser.
Nevertheless, researchers discovered these URLs have been straightforward to foretell as they have been created sequentially.
So any nefarious celebration that knew how these URLs have been created may simply tinker with them to entry tens of millions of various net addresses.
Of their research on-line Trustwave mentioned: “Accessing the hyperlink was potential with none authentication or authorisation, that means that any consumer with the hyperlink is ready to view the content material.
“As well as, the URL hyperlink was sequential (hexadecimal) and predictable. Moreover, when sharing media recordsdata, a hyperlink shall be generated whatever the recipient having the app put in.
“Because of this, a malicious consumer may doubtlessly entry any media recordsdata despatched through this service and in addition any which are despatched sooner or later. This clearly impacts the confidentiality of media content material despatched through this utility.”
Whereas Karl Sigler, senior safety analysis supervisor at Trustwave, instructed TechCrunch: “An attacker can create scripts that might throw a large web throughout all of the media recordsdata saved within the cloud occasion”.
Trustwave mentioned they’ve contacted the makers of the Go SMS Professional app a number of instances since August 18 with out receiving a response.
Because of this, on the time of releasing their findings, Trustwave mentioned the vulnerability nonetheless existed and offered a danger to customers.
They suggested anybody utilizing the Go SMS Professional Android app towards sending media recordsdata that they wished remained non-public or contained delicate knowledge till this subject was resolved.