A security loophole was discovered in the GO SMS Pro application on Android, which can be used to leak private data such as photos and videos.
The texting application is quite a popular one among Android users, having recorded over 10 crore downloads on the Google Play Store. According to researchers at Trustware SpiderLabs, version 7.91 of the application can lead to the privacy of photos, videos, and voice messages being compromised; the exploitable flaw is also yet to be fixed by the developer.
The flaw arises from the basic functioning of the application; when a user sends a multimedia message, the recipient can receive it without having the GO SMS Pro application installed. Thus, the media file is received as a URL via SMS, enabling the person to access the file by merely clicking on the link and being redirected to a browser window. "SpiderLabs found that accessing the link was possible without any authentication or authorisation, meaning that any user with the link is able to view the content," researchers explained on Thursday.
The researchers also found that the URLs used for media are sequential and predictable, making it easier to predict the next URL in the hexadecimal sequence.
However, the silver lining to this bug is that it doesn't directly reveal the identity of any specific user, unless the media itself makes revelations. "A profile picture can be searched for using reverse image search, a driver's license image or legal documents will have personally identifiable information (PII) that can be used to tie the image to specific people. However, a random picture of a sunset will likely not be easily traced back to a person," said Karl Sigler, senior security research manager at SpiderLabs.
The developer released a new version (v.7.93) on Wednesday. However, SpiderLabs has not yet tested this new iteration of the app, nor did the developer ever acknowledge the previous bug.
Users are still advised to upgrade to the latest version, in the hope that it addresses the bug, and also avoid using the application for a while as "it is highly recommended to avoid sending media files via the app that you expect to remain private or that may contain sensitive data,..,at least until the vendor acknowledges this vulnerability and remediates it," SpiderLabs commented.