Privacy Alert Android app still exposing messages of 100M users despite bug fix


Level 37
Feb 4, 2016
GO SMS Pro, an Android instant messaging app with more than 100 million installs, is still exposing the privately shared messages of millions of users even though the developer has been working on a fix for the flaw behind the data leak for almost two weeks.

The flaw, discovered by Trustwave researchers three months ago and publicly disclosed on November 19, enabled unauthenticated attackers to gain unrestricted access to voice messages, videos, and photos privately shared by GO SMS Pro users.

How privately shared media was exposed​

Private files sent by users to contacts who don't have GO SMS Pro installed can be accessed from the app's servers via a shortened URL which redirects to a content delivery network (CDN) server used to store all shared messages.