Trustwave SpiderLabs Security Advisory TWSL2020-008: Lack of Access Control in GO SMS Pro Published: 11/19/2020 Version: 1.0 Vendor: GO SMS Pro (http://www.gomo.com/) Product: GO SMS Pro https://play.google.com/store/apps/details?id=com.jb.gosms Version affected: v7.91 and other versions affected Product description: GO SMS Pro is a popular messaging application with over 100 Million downloads on the Google Play store. Finding : Lack of Access Control Exposing Private Media Content *****Credit: Richard Tan of Trustwave The GO SMS Pro application allows users to send private medias such as voice messages, videos and photos to a recipient. If the recipient does not have the GO SMS Pro application installed, the media is sent to the recipient via an SMS containing a URL link. The user clicks on the link and is able to view the content of the media via a browser on the mobile device. Alternatively, if the recipient has installed the GO SMS Pro application, the media would be displayed automatically within the application. It was observed media access using the URL link did not have any access control applied, meaning any user with the link is able to view the content. In addition, the URL link was sequential and predictable. As a result, a malicious user could in theory access every single media that was sent including future ones as well. This impacts the confidentiality of media messages sent using this application. The following Proof of Concept (PoC) demonstrates how an attacker could view other user's media messages without authorization: When a recipient receives an SMS message containing a media URL link sent via this app, the message has the following format: ``` I sent you an audio clip: http://gs.3g.cn/D/dd1efd/w ``` Browsing to http://gs.3g.cn/D/dd1efd/w would allow the recipient to view the voice message. However by incrementing a values in the URL, it is possible to view or listen to other media messages sent by other users. For example http://gs.3g.cn/D/dd1edd/w. Using the following bash script, it is possible to get a sample list of URLs containing sensitive and private media. ### ``` #!/bin/bash (echo obase=16; seq 1 $((echo ibase=16; echo FF) | bc)) | bc > 1 for i in $(cat 1); do echo "http://gs.3g.cn/D/dd1a$i /w"; done | tr -d " " ``` Taking a few sample URLs and pasting it to the multi-tab extension on chrome or Firefox, it is possible to view private media sent by users using this app. Vendor Response: Non-responsive Remediation Steps: Due to the lack of access controls, it is highly recommended to never send media that should remain private or that may contain sensitive data. Revision History: 08/18/2020 - Vendor contacted with no response 09/15/2020 - Vendor contacted with no response 10/14/2020 - Vendor contacted with no response 11/16/2020 - Vendor contacted with no response 11/19/2020 - Advisory published References 1. https://play.google.com/store/apps/details?id=com.jb.gosms&hl=en About Trustwave: Trustwave helps businesses fight cybercrime, protect data and reduce security risk. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs. More than three million businesses are enrolled in the Trustwave TrustKeeper® cloud platform, through which Trustwave delivers automated, efficient and cost-effective threat, vulnerability and compliance management. Trustwave is headquartered in Chicago, with customers in 96 countries. For more information about Trustwave, visit https://www.trustwave.com. About Trustwave SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.