When it comes to third-party messaging apps for Android, Go SMS Pro is one of the most popular ones out there. It has over 100 million installs as per its Google Play Store listing and markets itself as the number one platform to replace Android’s stock messaging app. Unfortunately for its users, security researchers have discovered a major security flaw in the app.
The app allows users to share photos, videos, and other files in the form of a web address so that those who don’t even have the app can access the files easily with the help of the link. Security researchers at Trustwave discovered that these links are sequential. This means that anyone who knows one web address can predict others and access files stored in them without proper consent.
Moreover, “An attacker can create scripts that could throw a wide net across all the media files stored in the cloud instance,” Karl Sigler, Senior Security Research Manager at Trustwave told TechCrunch.
The weakness was discovered on version 7.91 of the Go SMS Pro app. It is currently on version 7.93, with the latest update having rolled out on November 18. However, Trustwave believes that the vulnerability likely affects previous and potentially future versions as well. TechCrunch also independently verified Trustwave’s findings.
The security firm shared its finding with the app maker in August and gave it 90 days to fix the issue, as is standard practice in the industry. But after the deadline expired without a response, the researchers made their findings public.
So if you’re using Go SMS Pro right now, chances are you’re still affected. You might want to consider making a switch to another messaging app till the flaw is fixed.