The GO SMS Pro app has been downloaded 100 million situations now, underground message boards are actively sharing visuals stolen from GO SMS servers.
The GO SMS Pro Android app has revealed two new versions on Google Engage in since a major security weak spot was disclosed in November – but neither fixes the original issue, leaving 100 million buyers at risk for privacy violations, researchers claimed.
Meanwhile, a raft of exploitation tools have been produced in the wild for the bug.
That is in accordance to Trustwave SpiderLabs, which originally found out a security issue that can be exploited to publicly expose private voicemails, video missives and images despatched working with the well-liked messenger app.
With GO SMS Pro, when a person sends a multimedia message, the recipient can obtain it even if they never on their own have the application set up. In that circumstance, the media file is sent to the recipient as a URL by way of SMS, so the person can simply click on the website link to view the media file in a browser window. The issue is that there’s no authentication essential to view the content, so anybody with the website link (and links can be guessable) can simply click by means of to the content material.
“With some really slight scripting, it is trivial to toss a large internet all over that content material,” according to Trustwave. “While it is not directly attainable to hyperlink the media to unique consumers, those people media data files with faces, names, or other determining characteristics do that for you.”
Some of the readily available-to-be-hacked information. Supply: Trustwave.
A new variation of the app was uploaded to the Enjoy Retail outlet the working day right before the unique Trustwave advisory on Nov. 19 adopted promptly by a second current variation on Nov. 23. Trustwave has now examined each variations, specifically v7.93 and v7.94.
“We can verify that older media utilised to confirm the unique vulnerability is however obtainable,” scientists described in a Tuesday submitting. In other terms, earlier messages that have been despatched are nonetheless accessible. “That involves really a bit of sensitive info like driver’s licenses, overall health insurance policies account figures, lawful documents, and of study course, photographs of a much more ‘romantic’ mother nature.”
Sadly, cybercrooks have been quick to exploit the challenge, with “more instruments and scripts produced to exploit this on internet sites like Pastebin and Github than you can shake a adhere at,” in accordance to Trustwave. “Several well known applications are updating daily and on their 3rd or fourth revision. We’ve also observed underground discussion boards sharing photographs downloaded from GO SMS servers instantly.”
As for the new variations, “It appears like [the developer] is attempting to deal with the issue, but a total fix is nonetheless not obtainable in the app,” scientists discussed. “For v7.93, it appears that they disabled the potential to mail media information wholly. We have been not even in a position to connect files to an MMS information. In v7.94, they are not blocking the ability to add media in the application, but the media does not appear to go anywhere…the recipient does not receive any true text either with or with out attached media. So, it seems they are in the course of action of making an attempt to resolve the root issue.”
Trustwave stated that it continue to has experienced no make contact with from the GO SMS Pro crew.
“Our only avenue is community training to continue to keep users from continuing to risk their sensitive photographs, video clips and voice messages,” researchers said. “Given that aged details is nevertheless at risk and becoming actively leaked, in addition to the lack of communication or comprehensive fixes, we also think it would be a superior strategy for Google to consider this app back down.”
GO SMS Pro did not instantly return a ask for for comment.
Set Ransomware on the Operate: Save your location for “What’s Up coming for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what is coming in the ransomware earth and how to battle back.
Get the most current from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows, and other security authorities, on new forms of attacks. Subjects will include the most perilous ransomware threat actors, their evolving TTPs and what your business requirements to do to get in advance of the subsequent, inescapable ransomware attack. Sign up here for the Wed., Dec. 16 for this LIVE webinar.