[BreachExchange] Incomplete 'Go SMS Pro' Patch Left Millions of Users' Data Still Exposed Online

Destry Winant destry at riskbasedsecurity.com
Thu Dec 3 10:45:40 EST 2020


https://thehackernews.com/2020/12/incomplete-go-sms-pro-patch-left.html

A week after cybersecurity researchers disclosed a flaw in the popular
GO SMS Pro messaging app, it appears the developers of the app are
silently taking steps to fix the issue from behind the scenes.

The security misstep made it possible for an attacker to come up with
a trivial script to access media files transferred between users,
including private voice messages, photos, and videos, stored on an
unauthenticated, publicly accessible server.

Although the behavior was observed on version 7.91 of GO SMS Pro for
Android, the app makers have since released three subsequent updates,
two of which (v7.93 and v7.94) were pushed to the Google Play Store
after public disclosure of the flaw and Google's removal of the app
from the marketplace.

Google reinstated the app back to the Play Store on November 23.

Now following an analysis of the updated versions, Trustwave
researchers said, "GOMO is attempting to fix the issue, but a complete
fix is still not available in the app."

v7.93 of the app saw the developers completely turning off the ability
to send media files, while the next update (v7.94) has brought back
the functionality, albeit in a broken form.

"In v7.94, they are not blocking the ability to upload media in the
app, but the media does not appear to go anywhere," the researchers
said. "The recipient does not receive any actual text either with or
without attached media. So it appears they are in the process of
trying to fix the root problem."

What's more, Trustwave confirmed that older media shared prior to the
advisory are still accessible, including a cache of sensitive
information like driver's licenses, health insurance account numbers,
legal documents, and photos of a more "romantic" nature.

Troublingly, not only tools and exploits leveraging this vulnerability
have been released on Pastebin and Github; underground forums appear
to be sharing images downloaded from GO SMS servers directly.

Given the lack of communication from the app developers and the fact
that old data is being actively leaked, it is recommended to refrain
from using the app until the issues are fully patched.

"We also think it would be a good idea for Google to take this app
back down," the researchers said.


More information about the BreachExchange mailing list