In August, the security researcher Trustwave discovered the flaw and asked the app-maker to fix it.
The researchers said that they had attempted to contact the vendor of Go SMS Pro Aug. 18, then monthly since then, but had not received any response, noting that the vulnerability is still present.
According to a report prepared by Trustwave, Go SMS Pro uploads every media file you send to the other party, and makes these files accessible with a URL.
The flaw arises from the basic functioning of the application; when a user sends a multimedia message, the recipient can receive it without having the GO SMS Pro application installed. This it does by sharing a URL to the recipient via an SMS and clicking on this URL would allow the recipient to view the media file via a browser. "However, a random picture of a sunset will likely not be easily traced back to a person", said Karl Sigler, senior security research manager at SpiderLabs.
Trustwave shared its findings with TechCrunch this week. Shortly prior, security firm Avast also listed 21 whole apps that are best to stay away from, as they've been found to bombard users with ads, even outside the app itself, among other things.
Further talking about the fix to this bug he says, A fix would include adding proper access controls in the cloud instance, implementing longer unique IDs in the URL that will prevent sequential walking through the data, or simply taking down the cloud instance entirely until the issue can be addressed. If the recipient doesn't have Go SMS Pro installed on their devices, the media file is shared with them as a URL via regular SMS. Go SMS Pro developers were informed about the flaw back in August.
Before sending any files through the app, always keep in mind that it can be viewed by anyone out there. They can also connect to your Instagram DMs if you update your Instagram app, and you have the option to encrypt your conversations.
Because earlier this year, an unsecured server belonging to Microsoft exposed the data of more than 250 million users. Using this method, TechCrunch found sensitive financial information, home addresses, transaction receipts, and explicit photos that had been sent through the app.