Android chat app with 100 million installs exposes private messages

GO SMS Pro, an Android instant messaging application with over 100 million installs, is publicly exposing private multimedia files shared between its users.

By abusing a flaw in the app, unauthenticated attackers can gain access to private voice messages, videos, and photos shared by GO SMS Pro users as Trustwave security researchers discovered three months ago.

The private media files sent by users to contacts who don’t have the app installed on their devices can be accessed from the app’s servers using a shortened URL which redirects to a content delivery network (CDN) server GO SMS Pro uses to store all shared files.

Read more…
Source: Bleeping Computer