What if the messenger app that you were using was not only exposing your data to almost anyone on the Internet who wanted to find it – but was also making that data available to cybercriminals who have a vested motivation to exploit and sell it?
That’s exactly the nightmare scenario that Richard Tan, a Senior Security Consultant with Trustwave SpiderLabs, discovered. The popular messaging app Go SMS Pro, an Android based app with over 100 million downloads, was (and still is as of the time of this writing) exposing the data generated by its users, including sensitive photos, which have already been found for sale on cybercriminal forums. Even worse, exploiting this vulnerability doesn’t require any specialized programming or hacking skills – as it can be abused by virtually anyone with basic knowledge of computers.
This major finding, detailed in an initial post and then a follow up on the Trustwave SpiderLabs blog, has been covered by The Verge, TechCrunch, Dark Reading and other publications. Read below to learn more about how Richard Tan made the discovery.
Q: Could you tell us about your role with Trustwave SpiderLabs?
Richard: I am a senior security consultant at Trustwave SpiderLabs. Part of my day-to-day role involves providing penetration testing services to our clients globally and working with them to manage risk and help strengthen their security posture against cyberthreats.
Q: Tell us about your recent discovery
Richard: I discovered that the GO SMS Pro Android application (a popular app with over 100 million downloads on Google Play), was insecurely generating unprotected links when media files such as voice message, photos, and videos were sent to different users. No permissions were required to view these media files when the link was accessed. In addition, as the media links are sequential, an attacker could potentially craft a list of every possible link generated in the past and access them.
Q: What led you to suspect something was wrong?
Richard: While researching the GO SMS Pro app, when I sent a media file to a mobile device that did not have the app installed, I received an SMS text message containing a link to the media file. This immediately generated a red flag for me as the link could be accessed without being logged in (no authentication required). I then sent a few more media messages and noticed that the links were sequential as well. Further analysis confirmed that the link was generated regardless if the recipient was a GO SMS Pro user or not.
Q: How could this exploit be potentially used?
Richard: An attacker could write a simple script and potentially download every users’ media files that were sent in the past, including future ones as well – if the issue is not remediated.
Q: Has the developer responded?
Richard: The developer has not responded since August despite multiple attempts to contact them.
Q: Did anyone else from Trustwave SpiderLabs contribute to this work?
Richard: I discovered this vulnerability myself. However, I received disclosure support from the Security Advisory team including Tres Acton and Kevin Tran.
Defensive controls alone cannot secure your applications or networks. Even highly automated, sophisticated and advanced security tools and technologies are often vulnerable to attacks and are no match for the determination and creativity of the human mind. Penetration testing employs the ingenuity of the human intellect to expose the effectiveness of an organization’s security controls in real-world situations against skilled hackers. Learn more about Trustwave SpiderLabs vast portfolio of penetration testing services.