Go SMS Pro, a Popular Android Messaging App, Exposed Millions of Users’ Private Photos and Files

Zack Whittaker, reporting for TechCrunch:

When a Go SMS Pro user sends a photo, video or other file to someone who doesn’t have the app installed, the app uploads the file to its servers, and lets the user share a web address by text message so the recipient can see the file without installing the app. But the researchers found that these web addresses were sequential. In fact, any time a file was shared — even between app users — a web address would be generated regardless. That meant anyone who knew about the predictable web address could have cycled through millions of different web addresses to users’ files.

Go SMS Pro has more than 100 million installs, according to its listing in Google Play.

TechCrunch verified the researcher’s findings. In viewing just a few dozen links, we found a person’s phone number, a screenshot of a bank transfer, an order confirmation including someone’s home address, an arrest record, and far more explicit photos than we were expecting, to be quite honest.

Not what you want from an SMS app.

Monday, 23 November 2020