According to her security researchers TrustwaveThe application GO SMS Pro has one vulnerability, which may be used by third parties for acquisition access in private voice messages, videos and photos shared by users.
How are private messages exposed?
Private media files sent by users to contacts who have not installed the application on their devices, may be compromised through servers of the application. This is done using one abbreviated URL that redirects to a content delivery network (CDN) server, used by GO SMS Pro to store all sent files.
These abbreviated URLs are generated sequentially (with a hexadecimal counter) each time a file is shared between users and stored on the CDN server.
This allows anyone to see the private messages (files) that users of the application send to each other.
Trustwave researchers said that it is very easy to create a simple one script that would quickly create a list of addresses associated with photos and videos sent via GO SMS Pro.
"Getting the generated URLs and pasting them into the multi-tab extension in Chrome or Firefox, you can easily access private (and possibly sensitive) media files sent by users of this application", They explained.
Trustwave has decided to publicly reveal the vulnerability that makes the Android chat application vulnerable, as well as tried to contact the application developer but found no response. The researchers contacted the developer on August 18, and after receiving no response to three other emails sent in September, October and earlier this week, decided to reveal the vulnerability.
Source: Bleeping Computer