In August this year, Trustwave researchers revealed that the famous IM application Go SMS Pro has a major security flaw. All the media sent via the application is stored insecurely on a publicly accessible server that can be accessed using some very minor scripting. Even though it is not possible to link the files to a certain user, images containing faces, names, or other identifying characteristics put users’ privacy at risk online.
Just a day before this news broke, a new version of the application was uploaded on Play Store that was taken down. However, the application is now back on Play Store, and its Version 7.94 available for download. Go SMS Pro’s parent company GOMO is trying to fix the issue, but a complete fix is still not available. In version 7.93 of GO SMS Pro, the ability to send media files has been completely disabled, whereas version 7.94 allows users to upload media to the app, but these files are not sent.
Despite GOMO’s efforts, according to a recent report by Trustwave, the older media used to verify the original vulnerability is still available online. The worst part is, the exposed media files contain quite a bit of sensitive data, including driver’s licenses, health insurance account numbers, legal documents, and personal family pictures.
Trustwave detailed that cybercriminals are well aware of the flaw in GO SMS Pro, and there are numerous tools and scripts designed to exploit the vulnerability on sites such as Pastebin and GitHub.
In the meantime, avoid downloading this app on Google Play Store.