The GO SMS Pro Android app has published two new versions on Google Play since a major security weakness was disclosed in November – but neither fixes the original issue, leaving 100 million users at risk for privacy violations, researchers said.
Meanwhile, a raft of exploitation tools have been released in the wild for the bug.
That’s according to Trustwave SpiderLabs, which originally discovered a security issue that can be exploited to publicly expose private voicemails, video missives and photos sent using the popular messenger app.
With GO SMS Pro, when a user sends a multimedia message, the recipient can receive it even if they don’t themselves have the app installed. In that case, the media file is sent to the recipient as a URL via SMS, so the person can click on the link to view the media file in a browser window. The issue is that there’s no authentication required to view the content, so anyone with the link (and links can be guessable) can click through to the content.
“With some very minor scripting, it is trivial to throw a wide net around that content,” according to Trustwave. “While it’s not directly possible to link the media to specific users, those media files with faces, names, or other identifying characteristics do that for you.”
Some of the available-to-be-hacked content. Source: Trustwave.
A new version of the app was uploaded to the Play Store the day before the original Trustwave advisory on Nov. 19; followed quickly by a second updated version on Nov. 23. Trustwave has now tested both versions, specifically v7.93 and v7.94.
“We can confirm that older media used to verify the original vulnerability is still available,” researchers explained in a Tuesday posting. In other words, past messages that have been sent are still accessible. “That includes quite a bit of sensitive data like driver’s licenses, health insurance account numbers, legal documents, and of course, pictures of a more ‘romantic’ nature.”
Unfortunately, cybercrooks have been quick to exploit the problem, with “more tools and scripts released to exploit this on sites like Pastebin and Github than you can shake a stick at,” according to Trustwave. “Several popular tools are updating daily and on their third or fourth revision. We’ve also seen underground forums sharing images downloaded from GO SMS servers directly.”
As for the new versions, “It seems like [the developer] is attempting to fix the issue, but a complete fix is still not available in the app,” researchers explained. “For v7.93, it appears that they disabled the ability to send media files completely. We were not even able to attach files to an MMS message. In v7.94, they are not blocking the ability to upload media in the app, but the media does not appear to go anywhere…the recipient does not receive any actual text either with or without attached media. So, it appears they are in the process of trying to fix the root problem.”
Trustwave said that it still has had no contact from the GO SMS Pro team.
“Our only avenue is public education to keep users from continuing to risk their sensitive photos, videos and voice messages,” researchers said. “Given that old data is still at risk and being actively leaked, in addition to the lack of communication or full fixes, we also think it would be a good idea for Google to take this app back down.”
GO SMS Pro did not immediately return a request for comment.
Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back.
Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows, and other security experts, on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.
