fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Android App Still Exposing Messages Of 100M Users Despite Bug Fix

Android App Still Exposing Messages Of 100M Users Despite Bug Fix

GO SMS Pro, an Android instant messaging app with more than 100 million installs, is still exposing the privately shared messages of millions of users even though the developer has been working on a fix for the flaw behind the data leak for almost two weeks.

The flaw, discovered by Trustwave researchers three months ago and publicly disclosed on November 19, enabled unauthenticated attackers to gain unrestricted access to voice messages, videos, and photos privately shared by GO SMS Pro users.

How privately shared media was exposed

Private files sent by users to contacts who don’t have GO SMS Pro installed can be accessed from the app’s servers via a shortened URL which redirects to a content delivery network (CDN) server used to store all shared messages.

However, the shortened URLs sent to contacts without the app were sequentially generated each time files were shared between users and the media stored on the CDN server.

That made it very easy to go through all these privately shared files, even without knowing the full list of shared URLs.

Also Read: What Is A Governance Framework? The Importance And How It Works

As the researchers found and BleepingComputer was able to verify, the shared files include photos of users’ cars, screenshots of other private messages and Facebook posts, videos and audio recordings, photos of sensitive documents, and even nude photos.

“By taking the generated URLs and pasting them into the multi-tab extension on Chrome or Firefox, it is trivial to access private (and potentially sensitive) media files sent by users of this application,” the researchers explained.

GO SMS Pro share URLs (Trustwave)​​

New versions didn’t fix the data leak problem

“A new version of the app was uploaded to the Play Store the day before we released our advisory and Google then removed the app from the Play Store sometime on Friday, November 20th, the day after we released our advisory,” the researchers said today in a report shared with BleepingComputer earlier this week.

“However, as of Monday, November 23rd, Google has reinstated the Play Store app with an updated version that same day.”

Despite this, after releasing new versions to address the flaw, the fix partially addresses the flaw exposing users’ private files since all media previously shared is still accessible — even though the sharing feature is no longer working in the latest version.

Sadly for those who have already shared sensitive files using GO SMS Pro there is no way to delete them from the app’s storage server.

Thus anyone can batch download them using a script that generates a list of addresses linking to photos and videos shared using vulnerable app versions.

GO SMS Pro exploit scripts (Trustwave)

“Unfortunately, we’ve seen a lot of activity around this vulnerability. There have been more tools and scripts released to exploit this on sites like Pastebin and Github than you can shake a stick at,” the researchers added.

To make things even worse, images downloaded from GO SMS Pro’s servers are already being shared on underground forums, and developers of several scripts used to list and download such private messages are updating them daily.

Until now, despite their attempts, the app’s developers haven’t been able to block access to millions of users’ private photos, videos, and voice messages uploaded before this flaw was partially addressed.

Also Read: Website Ownership Laws: Your Rights And What These Protect

Therefore the users’ sensitive messages can be accessed by anyone using publicly available tools an issue which, unfortunately, cannot be fixed even if Google decides to take down the app from the Play Store.

On top of it all, even though Trustwave shared the details of the vulnerability with the app’s developer on August 18 they haven’t received any reply to any of their emails. BleepingComputer has also reached out to the developer team but our messages also went unanswered.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us