The popular SMS messaging app for Android GO SMS Pro (opens in new tab) is still exposing the privately shared photos, videos and files of millions of users despite the fact that Trustwave (opens in new tab) researchers recently disclosed that the app has a major security flaw.
The cybersecurity firm discovered back in August that media files sent via GO SMS Pro are stored insecurely on a publicly accessible server that can be accessed using some very minor scripting. Although it isn't possible to link the media files to specific users, those files that include faces, names or other identifying characteristics put the privacy of users at risk online.
A new version of GO SMS Pro was uploaded to the Play Store (opens in new tab) the day before Trustwave publicly disclosed that the app had a serious security flaw. Google then removed the app from its store but at the time of writing, version 7.94 of the app is available to download.
- We've put together a list of the best VPN (opens in new tab) services on the market
- Keep your devices virus free with the best malware removal (opens in new tab) software
- Also check out our roundup of the best ransomware protection (opens in new tab)
According to Trustwave, it appears that the app's developer GOMO is trying to fix the issue but a complete fix is still not available. In version 7.93 of GO SMS Pro the ability to send media files has been completely disabled while version 7.94 allows users to upload media to the app but these files don't appear to go anywhere when sent to another user.
Still vulnerable
Despite GOMO's attempts to fix its app, Trustwave has confirmed that older media used to verify the original vulnerability is still available online. The exposed media files contain quite a bit of sensitive data including driver's licenses, health insurance account numbers, legal documents and pictures of a more 'romantic' nature.
Cybercriminals are well aware of the flaw in GO SMS Pro and Trustwave has discovered numerous tools and scripts designed to exploit the vulnerability on sites such as Pastebin (opens in new tab) and GitHub (opens in new tab). Several of these more popular tools are updated on a daily basis and the firm has also observed underground forums sharing images downloaded directly from the app's servers.
Unfortunately, GOMO has been less than cooperative when it comes to working with Trustwave on fixing the vulnerability.
The developer has made some changes to GO SMS Pro but for the time being, Trustwave recommends (opens in new tab) that users “avoid sending media files that you expect to remain private or that may contain sensitive data using this popular messenger app”.
- We've also highlighted the best antivirus (opens in new tab) software