Frame-14

Privacy Ninja

        • DATA PROTECTION

        • Email Spoofing Prevention
        • Check if your organization email is vulnerable to hackers and put a stop to it. Receive your free test today!
        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • AntiHACK Phone
        • Boost your smartphone’s security with enterprise-level encryption, designed by digital forensics and counterintelligence experts, guaranteeing absolute privacy for you and up to 31 others, plus a guest user, through exclusive access.

        • CYBERSECURITY

        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$3,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Secure your digital frontiers with our API penetration testing service, meticulously designed to identify and fortify vulnerabilities, ensuring robust protection against cyber threats.

        • Network Penetration Testing
        • Strengthen your network’s defenses with our comprehensive penetration testing service, tailored to uncover and seal security gaps, safeguarding your infrastructure from cyber attacks.

        • Mobile Penetration Testing
        • Strengthen your network’s defenses with our comprehensive penetration testing service, tailored to uncover and seal security gaps, safeguarding your infrastructure from cyber attacks.

        • Web Penetration Testing
        • Fortify your web presence with our specialized web penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats.

        • RAPID DIGITALISATION

        • OTHERS

Android App Still Exposing Messages Of 100M Users Despite Bug Fix

Android App Still Exposing Messages Of 100M Users Despite Bug Fix

GO SMS Pro, an Android instant messaging app with more than 100 million installs, is still exposing the privately shared messages of millions of users even though the developer has been working on a fix for the flaw behind the data leak for almost two weeks.

The flaw, discovered by Trustwave researchers three months ago and publicly disclosed on November 19, enabled unauthenticated attackers to gain unrestricted access to voice messages, videos, and photos privately shared by GO SMS Pro users.

How privately shared media was exposed

Private files sent by users to contacts who don’t have GO SMS Pro installed can be accessed from the app’s servers via a shortened URL which redirects to a content delivery network (CDN) server used to store all shared messages.

However, the shortened URLs sent to contacts without the app were sequentially generated each time files were shared between users and the media stored on the CDN server.

That made it very easy to go through all these privately shared files, even without knowing the full list of shared URLs.

Also Read: What Is A Governance Framework? The Importance And How It Works

As the researchers found and BleepingComputer was able to verify, the shared files include photos of users’ cars, screenshots of other private messages and Facebook posts, videos and audio recordings, photos of sensitive documents, and even nude photos.

“By taking the generated URLs and pasting them into the multi-tab extension on Chrome or Firefox, it is trivial to access private (and potentially sensitive) media files sent by users of this application,” the researchers explained.

GO SMS Pro share URLs (Trustwave)​​

New versions didn’t fix the data leak problem

“A new version of the app was uploaded to the Play Store the day before we released our advisory and Google then removed the app from the Play Store sometime on Friday, November 20th, the day after we released our advisory,” the researchers said today in a report shared with BleepingComputer earlier this week.

“However, as of Monday, November 23rd, Google has reinstated the Play Store app with an updated version that same day.”

Despite this, after releasing new versions to address the flaw, the fix partially addresses the flaw exposing users’ private files since all media previously shared is still accessible — even though the sharing feature is no longer working in the latest version.

Sadly for those who have already shared sensitive files using GO SMS Pro there is no way to delete them from the app’s storage server.

Thus anyone can batch download them using a script that generates a list of addresses linking to photos and videos shared using vulnerable app versions.

GO SMS Pro exploit scripts (Trustwave)

“Unfortunately, we’ve seen a lot of activity around this vulnerability. There have been more tools and scripts released to exploit this on sites like Pastebin and Github than you can shake a stick at,” the researchers added.

To make things even worse, images downloaded from GO SMS Pro’s servers are already being shared on underground forums, and developers of several scripts used to list and download such private messages are updating them daily.

Until now, despite their attempts, the app’s developers haven’t been able to block access to millions of users’ private photos, videos, and voice messages uploaded before this flaw was partially addressed.

Also Read: Website Ownership Laws: Your Rights And What These Protect

Therefore the users’ sensitive messages can be accessed by anyone using publicly available tools an issue which, unfortunately, cannot be fixed even if Google decides to take down the app from the Play Store.

On top of it all, even though Trustwave shared the details of the vulnerability with the app’s developer on August 18 they haven’t received any reply to any of their emails. BleepingComputer has also reached out to the developer team but our messages also went unanswered.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us