Go SMS Pro, a widely-used messaging application for Android devices, is currently revealing private photos, videos, and other files exchanged by its users. Concerningly, the application’s developer has not yet addressed this security vulnerability.

Security experts at Trustwave identified this issue in August and informed the app developer, providing a standard 90-day period for remediation – a common practice in vulnerability disclosure to allow sufficient time for a solution. However, with the deadline passing without any response, the researchers decided to make their discovery public.

Trustwave communicated their findings to TechCrunch this week.

The process works as follows: when a Go SMS Pro user transmits a photo, video, or other file to a recipient who does not have the app, the application uploads the file to its servers. The user is then provided with a web link to share via text message, allowing the recipient to view the file without needing to install the application. However, researchers determined that these web links are generated in a predictable sequence. Specifically, a web address is created each time a file is shared, even between users of the app. This meant that anyone aware of this pattern could potentially access users’ files by systematically trying millions of different web addresses.

Go SMS Pro boasts over 100 million installations, as indicated by its Google Play Store listing.

TechCrunch independently confirmed the researchers’ findings. By examining only a limited number of links, we uncovered a person’s phone number, a screenshot depicting a bank transfer, an order confirmation containing a home address, an arrest record, and a significant number of explicit images.

Karl Sigler, a senior security research manager at Trustwave, explained that while targeting specific users isn’t feasible, any file transmitted through the app is susceptible to public exposure. He stated, “An attacker could develop automated scripts to broadly scan all media files stored on the cloud infrastructure.”

Attempts to obtain a response from the app developer proved as unsuccessful as the researchers’ efforts. TechCrunch contacted two email addresses associated with the app. One email immediately returned an undeliverable message due to a full inbox. The other email was opened, according to our tracking tools, but a subsequent follow-up email went unanswered.

Given these circumstances, you may be seeking a messaging app that prioritizes your privacy, and we can offer some recommendations.