Quote:The GO SMS Pro Android app has published two new versions on Google Play since a major security weakness was disclosed in November – but neither fixes the original issue, leaving 100 million users at risk for privacy violations, researchers said.
 
Meanwhile, a raft of exploitation tools have been released in the wild for the bug. That’s according to Trustwave SpiderLabs, which originally discovered a security issue that can be exploited to publicly expose private voicemails, video missives and photos sent using the popular messenger app.
 
With GO SMS Pro, when a user sends a multimedia message, the recipient can receive it even if they don’t themselves have the app installed. In that case, the media file is sent to the recipient as a URL via SMS, so the person can click on the link to view the media file in a browser window. The issue is that there’s no authentication required to view the content, so anyone with the link (and links can be guessable) can click through to the content.
 
“With some very minor scripting, it is trivial to throw a wide net around that content,” according to Trustwave. “While it’s not directly possible to link the media to specific users, those media files with faces, names, or other identifying characteristics do that for you.”
 
A new version of the app was uploaded to the Play Store the day before the original Trustwave advisory on Nov. 19; followed quickly by a second updated version on Nov. 23. Trustwave has now tested both versions, specifically v7.93 and v7.94.
 
“We can confirm that older media used to verify the original vulnerability is still available,” researchers explained in a Tuesday posting. In other words, past messages that have been sent are still accessible. “That includes quite a bit of sensitive data like driver’s licenses, health insurance account numbers, legal documents, and of course, pictures of a more ‘romantic’ nature.”