When a Go SMS Pro user sends a photo, video or other file to
someone who doesn’t have the app installed, the app uploads the
file to its servers, and lets the user share a web address by
text message so the recipient can see the file without
installing the app. But the researchers found that these web
addresses were sequential. In fact, any time a file was shared — even between app users — a web address would be generated
regardless. That meant anyone who knew about the predictable web
address could have cycled through millions of different web
addresses to users’ files.
Go SMS Pro has more than 100 million installs, according to its
listing in Google
TechCrunch verified the researcher’s findings. In viewing just a
few dozen links, we found a person’s phone number, a screenshot of
a bank transfer, an order confirmation including someone’s home
address, an arrest record, and far more explicit photos than we
were expecting, to be quite honest.
Not what you want from an SMS app.