[BreachExchange] Android messaging app with 100M users found exposing messages

Destry Winant destry at riskbasedsecurity.com
Mon Nov 23 10:56:54 EST 2020


https://www.hackread.com/android-messaging-app-found-exposing-messages/

According to the Play Store, the Go SMS Pro app is highly popular
among Android users with more than 100 million users.

It is a common occurrence when apps and websites are found to have
vulnerabilities that eventually get patched – the typical story in the
cybersecurity world. In the latest, another such incident has occurred
where a flaw has been found in an Android messaging app with over 100
million installations named GO SMS Pro.

The flaw is based on the most sensitive part of any messaging app in
that it exposes the transmitted messages between users comprising of
texts, voice notes, photos, and videos.

Discovered by researcher Richard Tan from Trustwave Security, the flaw
is believed to have started from the app’s version 7.91 released on
February 18 earlier this year. However, earlier and subsequent
versions may include it as well even if this is not confirmed.

To see how the flaw works, we need to understand the messaging feature
within the application.

To start with, when 2 Go SMS Pro users send each other a massage, it
is displayed to them just like you would see a Whatsapp message right
within the app. However, what happens when the recipient is not an app
user?

In that case, the sender’s message would be sent as a link to the
recipient’s sim. This is where the problem starts. That link
irresponsibly can be accessed by anyone who gets a hold of it rather
than just the one using the recipient’s sim.

Adding to this, if you share media files between 2 people who are
users of the app, even then a link will be generated. Explaining
further the researcher stated in a blog post that:

"Browsing to http://gs.3g.cn/D/dd1efd/w would allow the recipient to
view the voice message. However, by incrementing the value in the URL,
it is possible to view or listen to other media messages shared
between other users. For example, accessing http://gs.3g.cn/D/e3a6b4/w
would show a photo of a fake driver’s license [sample license showed
below]."

Using this, attackers could pretty easily generate different URLs in
order to unauthorizedly access the data of others. Furthermore, once
this data is accessed, it could be used to blackmail victims and even
conduct further attacks on them involving social engineering.

To conclude, currently, the flaw has not been patched (so much for our
typical cybersecurity story) but the researcher has contacted the GO
SMS Pro team.

If you are a GO SMS Pro user, it may be wise to stop using the app
until then and this holds true for iOS as well as it too may have been
compromised even if we’re not sure. In the future, we’ll continue
updating you on how the patching process goes.


More information about the BreachExchange mailing list