Trustwave researchers discovered a vulnerability in the GO SMS Pro app installed more than 100,000,000 times. Because of the bug, multimedia files (voice messages, videos, and images) that users exchange are now available to anyone.
You can even extract files from the app server that were intended for users whose devices do not have GO SMS Pro installed. To do this, use a shortened URL like https://gs.3g [.] cn/D/dd1efd/w, which is used for redirecting to the CDN used by the application for shared files. These URLS are generated sequentially and predictably for each shared file when this content is stored on the CDN server. As a result, a potential attacker can view these files without even knowing the URLS themselves and without any authentication.
Bleeping Computer journalists checked the researchers 'conclusions by examining about 20 such links, including photos of users' cars, screenshots of various messages, personal photos (including erotic ones), videos, audio, and even photos of confidential documents.
The researchers note that creating a simple script that would quickly generate lists of addresses leading to photos, videos, and other user files is a trivial task.
Trustwave specialists notified developers about the problem on August 20, 2020, but did not receive responses to their three emails. As a result, experts disclosed data about the vulnerability publicly. Bleeping Computer notes that their attempts to contact the developers also did not lead to anything, and the company's website is generally unavailable: instead, visitors see a message about the successful installation of the Tengine web server.
carders forum carding forum carding tools hackers news hacking news news
You can even extract files from the app server that were intended for users whose devices do not have GO SMS Pro installed. To do this, use a shortened URL like https://gs.3g [.] cn/D/dd1efd/w, which is used for redirecting to the CDN used by the application for shared files. These URLS are generated sequentially and predictably for each shared file when this content is stored on the CDN server. As a result, a potential attacker can view these files without even knowing the URLS themselves and without any authentication.
Bleeping Computer journalists checked the researchers 'conclusions by examining about 20 such links, including photos of users' cars, screenshots of various messages, personal photos (including erotic ones), videos, audio, and even photos of confidential documents.
The researchers note that creating a simple script that would quickly generate lists of addresses leading to photos, videos, and other user files is a trivial task.
Trustwave specialists notified developers about the problem on August 20, 2020, but did not receive responses to their three emails. As a result, experts disclosed data about the vulnerability publicly. Bleeping Computer notes that their attempts to contact the developers also did not lead to anything, and the company's website is generally unavailable: instead, visitors see a message about the successful installation of the Tengine web server.
carders forum carding forum carding tools hackers news hacking news news