The susceptibility stems from the way media web content is displayed when receivers do not have the GO SMS Pro application installed on their tools, leading to potential exposure.
“If the recipient has the GO SMS Pro application on their gadget, the media would be shown automatically within the application,” Tan stated. “Nevertheless, if the recipient does not have the GO SMS Pro application mounted, the media data is sent to the recipient as a LINK via TEXT. The individual can after that click on the web link and watch the media file using an internet browser.”
Especially, by incrementing the sequential hexadecimal values in the URL (e.g., “https://gs.3g.cn/D/e3a6b4/w”), the imperfection makes it feasible to view or listen to other media messages shared between various other users. An assailant can utilize this strategy to create a checklist of Links and steal individual data without their knowledge.
It’s likely that the defect influences the iPhone variation of GO SMS Pro as well, however until there’s a solution in position, it is extremely suggested to avoid sending out media data utilizing the damaged messenger application.
We have actually connected to the developers of GO SMS Pro, and also we will certainly upgrade the tale if we hear back.
GO SMS Pro, a preferred messaging application for Android with over 100 million installs, has actually been located to have an unpatched security defect that publicly exposes media transferred between users, consisting of private voice messages, images, and also video clips.
” This indicates any sensitive media shared in between users of this messenger application goes to the danger of being endangered by an unauthenticated opponent or interested customer,” Trustwave Senior Citizen Protection Professional Richard Tan claimed in a record shown The Hacker News.
According to Trustwave SpiderLabs, the shortcoming was detected in version 7.91 of the application, which was released on the Google Play Store on February 18, 2020.
The cybersecurity company stated it tried to get in touch with the app makers multiple times considering that August 18, 2020, without getting a response.
However examining the app’s changelog, GO SMS Pro got an upgrade (v7.92) on September 29, followed by another succeeding upgrade, which was published yesterday. The latest updates to the app, however, still does not resolve the weakness pointed out over.
Not only is this weblink (e.g. “https://gs.3g.cn/D/dd1efd/w”) easily accessible to any individual without previous verification, the URL is created regardless of whether the recipient has actually the application installed, consequently allowing a malicious actor to access any kind of media submits sent by means of the app.