Security News > 2020 > November > Android chat app with 100 million installs exposes private messages
GO SMS Pro, an Android instant messaging application with over 100 million installs, is publicly exposing private multimedia files shared between its users.
By abusing a flaw in the app, unauthenticated attackers can gain access to private voice messages, videos, and photos shared by GO SMS Pro users as Trustwave security researchers discovered three months ago.
The private media files sent by users to contacts who don't have the app installed on their devices can be accessed from the app's servers using a shortened URL which redirects to a content delivery network server GO SMS Pro uses to store all shared files.
BleepingComputer was able to confirm the researchers' findings by going through roughly two dozen such links and found photos of users' cars, screenshots of other messages and Facebook posts, nude photos, videos, audio recordings, and even photos of sensitive documents.
Trustwave's researchers said that it is trivial to create a simple script that would quickly generate a list of addresses linking to photos and videos shared using this vulnerable app.