Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Discussing the Go SMS Pro Discovery

What if the messenger app that you were using was not only exposing your data to almost anyone on the Internet who wanted to find it – but was also making that data available to cybercriminals who have a vested motivation to exploit and sell it? 

That’s exactly the nightmare scenario that Richard Tan, a Senior Security Consultant with Trustwave SpiderLabs, discovered. The popular messaging app Go SMS Pro, an Android based app with over 100 million downloads, was (and still is as of the time of this writing) exposing the data generated by its users, including sensitive photos, which have already been found for sale on cybercriminal forums. Even worse, exploiting this vulnerability doesn’t require any specialized programming or hacking skills – as it can be abused by virtually anyone with basic knowledge of computers.

This major finding, detailed in an initial post and then a follow up on the Trustwave SpiderLabs blog, has been covered by The Verge, TechCrunch, Dark Reading and other publications. Read below to learn more about how Richard Tan made the discovery. 

Q: Could you tell us about your role with Trustwave SpiderLabs? 

Richard: I am a senior security consultant at Trustwave SpiderLabs. Part of my day-to-day role involves providing penetration testing services to our clients globally and working with them to manage risk and help strengthen their security posture against cyberthreats.

Q: Tell us about your recent discovery 

Richard: I discovered that the GO SMS Pro Android application (a popular app with over 100 million downloads on Google Play), was insecurely generating unprotected links when media files such as voice message, photos, and videos were sent to different users. No permissions were required to view these media files when the link was accessed. In addition, as the media links are sequential, an attacker could potentially craft a list of every possible link generated in the past and access them.

Q: What led you to suspect something was wrong? 

Richard: While researching the GO SMS Pro app, when I sent a media file to a mobile device that did not have the app installed, I received an SMS text message containing a link to the media file. This immediately generated a red flag for me as the link could be accessed without being logged in (no authentication required). I then sent a few more media messages and noticed that the links were sequential as well. Further analysis confirmed that the link was generated regardless if the recipient was a GO SMS Pro user or not.  

Q: How could this exploit be potentially used? 

Richard: 
An attacker could write a simple script and potentially download every users’ media files that were sent in the past, including future ones as well – if the issue is not remediated.

Q: Has the developer responded? 

Richard:
 The developer has not responded since August despite multiple attempts to contact them. 

 Q: Did anyone else from Trustwave SpiderLabs contribute to this work?

Richard: I discovered this vulnerability myself. However, I received disclosure support from the Security Advisory team including Tres Acton and Kevin Tran.


16447_spiderlabs-penetration-testing-services-cover
DATA SHEET

Trustwave SpiderLabs Penetration Testing Services

Defensive controls alone cannot secure your applications or networks. Even highly automated, sophisticated and advanced security tools and technologies are often vulnerable to attacks and are no match for the determination and creativity of the human mind. Penetration testing employs the ingenuity of the human intellect to expose the effectiveness of an organization’s security controls in real-world situations against skilled hackers. Learn more about Trustwave SpiderLabs vast portfolio of penetration testing services.

Latest Trustwave Blogs

Defending Healthcare Databases: Strategies to Safeguard Critical Information

The healthcare sector continues to be a primary target for threat actors, with 2023 seeing a record number of data breaches and compromised records. While successful attacks are inevitable, it’s...

Read More

Trustwave SpiderLabs: Ransomware Gangs Dominate 2024 Education Threat Landscape

The security teams manning the defenses at the higher education and primary school system levels often find themselves being tested by threat actors taking advantage of the sector's inherent cyber...

Read More

LockBit Takedown: Law Enforcement Disrupts Operations, but Ransomware Threats Likely to Persist

The news that US, UK, and other international law enforcement agencies disrupted LockBit is welcome, as stopping any threat group activity is always a positive. The unfortunate aspect is this blow...

Read More