The Go SMS Pro messaging app has over 100m downloads and a 4.5 star rating, but the developers are playing fast and loose with users’ privacy.
A Chinese messaging app that prides itself on pretty themes and emojis had an ugly secret: It was publishing users’ sensitive files for anyone on the internet to see.
Go SMS Pro, a messaging app from GOMO Apps available on the Google Play Store, has over 100 million downloads and an average of 4.5 stars in its customer reviews. You think that would make it a safe bet, right? Think again.
Researchers at Trustwave SpiderLabs had already notified the company in mid-August about a flaw in the messaging app’s handling of media files. Like many messaging apps, Go SMS Pro allows users to send each other media such as image files, videos, and audio clips. If the recipient also has the app installed, it displays the media automatically within the user interface. Recipients who aren’t using the app still get an SMS notification that the media file is waiting for them, along with a URL to access it.
SpiderLabs found that anyone could access a URL link without authentication. The key part of the link that took visitors to specific files was a unique parameter at the end of the URL. Changing that parameter could give you access to a different person’s information. The parameter used sequential hexadecimal numbers, making it easy to page through large numbers of files intended for different people without the victims being any the wiser.
What was the app vulnerability?
If you’re an app developer, take note: this is a classic insecure direct object reference (IDOR) vulnerability, in which an application exposes an object directly via a public-facing reference. It isn’t a problem so long as you authenticate your sessions properly to stop anyone accessing those objects without authorisation.
Because GOMO Apps didn’t, anyone with an internet connection could browse through their users’ sensitive files as easily as leaving through the pages of a book.
Trustwave’s researchers found users’ nude photos, private videos and audio recordings, and photos of sensitive documents freely accessible online.
The researchers said they notified Go SMS Pro’s publishers four times with no response before eventually publishing its advisory on 19 November 2020 with the data still publicly available. The drama didn’t stop there, though.
Cybercriminals continue to scrape and share the data
Google blocked the app from the Play Store a day after the first advisory dropped, but then allowed the publication of a new version three days later on November 23, 2020. The publishers made a clunky attempt at a fix by still allowing people to upload media files to the app but then not sending that media anywhere. The recipients wouldn’t get the messages containing the links to those files.
Unfortunately, the publisher had not addressed the real problem, which was that hundreds of users’ files originally uploaded using the flawed app were still publicly available, including drivers’ licenses and health insurance account numbers. Online criminals had since latched onto the opportunity and were publishing scripts to scrape the data, while underground forums were sharing some of the compromised pictures, Trustwave said in an update on 1 December.
Since Trustwave published its report, GOMO has updated the app again but still with no word of thanks to the researchers and no information on whether it fixed the underlying gaping security hole. It shows just how dangerous it is to trust apps simply because they made it into the Google Play Store and have thousands of downloads.
It’s important to remember that any app or piece of software may suffer occasional bugs or security holes, but how the developers react to and remediate the discovery of those bugs is extremely telling, and points to how they regard the safety of their users in general.
How to message safely
When it comes to messaging, sticking to brand name apps from reputable vendors is a good security measure, as is the use of end-to-end encrypted messaging.
Security bugs will still arise even in the most popular apps, but publishers with bug bounties and/or a solid track record of acknowledging bugs and working with security researchers to fix them are a safer bet when keeping your data safe.