The GO SMS Pro app has been downloaded 100 million instances now, underground forums are actively sharing illustrations or photos stolen from GO SMS servers.
The GO SMS Pro Android app has published two new variations on Google Enjoy considering that a key security weak spot was disclosed in November – but neither fixes the original issue, leaving 100 million consumers at risk for privacy violations, researchers reported.
Meanwhile, a raft of exploitation equipment have been unveiled in the wild for the bug.
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
That is according to Trustwave SpiderLabs, which at first found out a security issue that can be exploited to publicly expose non-public voicemails, video missives and photographs despatched applying the common messenger application.
With GO SMS Pro, when a person sends a multimedia message, the recipient can acquire it even if they really don’t them selves have the application set up. In that circumstance, the media file is sent to the receiver as a URL by using SMS, so the human being can simply click on the website link to check out the media file in a browser window. The issue is that there’s no authentication expected to check out the written content, so any one with the backlink (and back links can be guessable) can click via to the articles.
“With some really minor scripting, it is trivial to toss a broad net close to that information,” according to Trustwave. “While it’s not immediately probable to url the media to specific consumers, these media data files with faces, names, or other identifying properties do that for you.”
A new version of the app was uploaded to the Enjoy Retail outlet the working day ahead of the primary Trustwave advisory on Nov. 19 adopted promptly by a 2nd up-to-date edition on Nov. 23. Trustwave has now examined the two variations, exclusively v7.93 and v7.94.
“We can confirm that more mature media made use of to verify the unique vulnerability is nonetheless out there,” scientists discussed in a Tuesday publishing. In other phrases, earlier messages that have been sent are however available. “That includes rather a little bit of sensitive info like driver’s licenses, overall health insurance policies account quantities, authorized files, and of study course, shots of a a lot more ‘romantic’ mother nature.”
Regretably, cybercrooks have been fast to exploit the challenge, with “more instruments and scripts produced to exploit this on web sites like Pastebin and Github than you can shake a adhere at,” according to Trustwave. “Several well-known resources are updating day by day and on their third or fourth revision. We’ve also observed underground discussion boards sharing pictures downloaded from GO SMS servers immediately.”
As for the new versions, “It appears like [the developer] is making an attempt to take care of the issue, but a comprehensive take care of is however not accessible in the app,” scientists spelled out. “For v7.93, it seems that they disabled the skill to deliver media documents totally. We ended up not even equipped to attach files to an MMS message. In v7.94, they are not blocking the capability to add media in the app, but the media does not show up to go anywhere…the receiver does not get any actual text both with or without hooked up media. So, it seems they are in the course of action of trying to repair the root difficulty.”
Trustwave stated that it nonetheless has experienced no speak to from the GO SMS Pro group.
“Our only avenue is public training to retain consumers from continuing to risk their delicate images, video clips and voice messages,” researchers stated. “Given that outdated info is however at risk and remaining actively leaked, in addition to the lack of interaction or whole fixes, we also feel it would be a good thought for Google to acquire this app again down.”
GO SMS Pro did not promptly return a ask for for comment.
Place Ransomware on the Operate: Save your location for “What’s Subsequent for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what is coming in the ransomware environment and how to combat back again.
Get the most recent from John (Austin) Merritt, Cyber Risk Intelligence Analyst at Electronic Shadows, and other security gurus, on new forms of attacks. Subject areas will consist of the most hazardous ransomware threat actors, their evolving TTPs and what your corporation needs to do to get in advance of the upcoming, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.
Some components of this write-up are sourced from:
threatpost.com