Trustwave researchers discovered vulnerability in GO SMS Pro app, installed over 100,000,000 times. Due to the bug, multimedia files (voice messages, videos and images) exchanged by users were made available to anyone.
You can even extract files from the application server that were intended for users on whose devices GO SMS Pro is not installed. To do this, you need to use a shortened URL like https: //gs.3g (.) Cn / D / dd1efd / w, which is used to redirect to the CDN used by the application for shared files. Such URLs are generated consistently and predictably for each shared file when that content is stored on a CDN server. As a result, a potential attacker is able to view these files without even knowing the URLs themselves and without any authentication.
Journalists of the edition Bleeping computer checked the findings of the researchers by examining about 20 such links, among which were photos of users' cars, screenshots of various messages, personal photos (including erotic), video, audio and even photos of confidential documents.
The researchers point out that creating a simple script that quickly generates lists of addresses leading to photos, videos, and other user files is a trivial task.
Trustwave specialists notified the developers of the problem on August 20, 2020, but they did not receive answers to three of their letters. As a result, the experts disclosed the vulnerability data publicly. Bleeping Computer notes that their attempts to contact the developers have also failed, and the company's website is generally unavailable: instead, visitors see a message about the successful installation of the Tengine web server.