Go SMS Pro, one of the most popular messaging apps for Android, is exposing photos, videos and other files sent privately by its users. Worse, the app maker has done nothing to fix the bug.
Security researchers at Trustwave discovered the flaw in August and contacted the app maker with a 90-day deadline to fix the issue, as is standard practice in vulnerability disclosure to allow enough time for a fix. But after the deadline elapsed without hearing back, the researchers went public.
Trustwave shared its findings with TechCrunch this week.
When a Go SMS Pro user sends a photo, video or other file to someone who doesn’t have the app installed, the app uploads the file to its servers, and lets the user share a web address by text message so the recipient can see the file without installing the app. But the researchers found that these web addresses were sequential. In fact, any time a file was shared — even between app users — a web address would be generated regardless. That meant anyone who knew about the predictable web address could have cycled through millions of different web addresses to users’ files.
Go SMS Pro has more than 100 million installs, according to its listing in Google Play.
TechCrunch verified the researcher’s findings. In viewing just a few dozen links, we found a person’s phone number, a screenshot of a bank transfer, an order confirmation including someone’s home address, an arrest record, and far more explicit photos than we were expecting, to be quite honest.
Karl Sigler, senior security research manager at Trustwave, said while it wasn’t possible to target any specific user, any file sent using the app is vulnerable to public access. “An attacker can create scripts that could throw a wide net across all the media files stored in the cloud instance,” he said.
Disrupt 2026: The tech ecosystem, all in one room
Your next round. Your next hire. Your next breakout opportunity. Find it at TechCrunch Disrupt 2026, where 10,000+ founders, investors, and tech leaders gather for three days of 250+ tactical sessions, powerful introductions, and market-defining innovation. Register now to save up to $400.
Save up to $300 or 30% to TechCrunch Founder Summit
1,000+ founders and investors come together at TechCrunch Founder Summit 2026 for a full day focused on growth, execution, and real-world scaling. Learn from founders and investors who have shaped the industry. Connect with peers navigating similar growth stages. Walk away with tactics you can apply immediately
Offer ends March 13.
We had about as much luck getting a response from the app maker as the researchers. TechCrunch emailed two email addresses associated with the app. One email immediately bounced back saying the email couldn’t be delivered due to a full inbox. The other email was opened, according to our email open tracker, but a follow-up email was not.
Since you might now want a messaging app that protects your privacy, we have you covered.
Cybersecurity 101: How to choose and use an encrypted messaging app
