The problem stems from the fact that when users send messages to one another, they're stored on Go SMS Pro servers and message recipients are given shortened URLs which directs them to the actual content.

Unfortunately, those URLs are generated sequentially, which of course means that any hacker who spends a bit of time experimenting can correctly deduce the next URL in the sequence and easily access content that was not intended for him or her. This opens literally all of the content shared by all the users of the app open to abuse. Once the shortened URL is deduced, it's simply a matter of copying and pasting it into any browser.

The code team leapt into action and was quick to update the app with a version that promised to close that loophole. On November 20 ^th , 2020, Google removed the old version and replaced it with the updated one.

Unfortunately, the latest version didn't actually fix the problem. The new version disabled the share functionality so that no new content can be shared, but all of the previously shared materials are still on the server and can still be accessed. Worse, there's absolutely nothing that an individual user can do to remove his or her previously shared content from the app's servers. As word of the flaw has spread, hackers all over the world have been designing tools to download the content.

The bottom line is, if you use this app and you've shared sensitive files with anyone, odds are that one or more hackers now has a copy of whatever you shared.

Used with permission from Article Aggregator