Security News > 2020 > December > Android app still exposing messages of 100M users despite bug fix
GO SMS Pro, an Android instant messaging app with more than 100 million installs, is still exposing the privately shared messages of millions of users even though the developer has been working on a fix for the flaw behind the data leak for almost two weeks.
Private files sent by users to contacts who don't have GO SMS Pro installed can be accessed from the app's servers via a shortened URL which redirects to a content delivery network server used to store all shared messages.
The shortened URLs sent to contacts without the app were sequentially generated each time files were shared between users and the media stored on the CDN server.
"A new version of the app was uploaded to the Play Store the day before we released our advisory and Google then removed the app from the Play Store sometime on Friday, November 20th, the day after we released our advisory," the researchers said today in a report shared with BleepingComputer earlier this week.
Despite this, after releasing new versions to address the flaw, the fix partially addresses the flaw exposing users' private files since all media previously shared is still accessible - even though the sharing feature is no longer working in the latest version.