iOS and Android messaging app GroupMe has had a possible vulnerability fixed quickly by Microsoft, according to The Register. There was no evidence to suggest any cybercriminals had been able to exploit the flaw before it was patched.
The group text messaging app was processing 550 million messages a month back in 2012, and is still extremely popular, with over 5 million installs on Android, according to the Google Play Store.
An exploit was discovered by Dylan Saccomanni, who wrote about a vulnerability within the iOS version of the app that allowed any account to be taken over, provided the attacker had the phone number of their target. "Knowing just the phone number, you could take over their account entirely while simultaneously resetting their password and email address," he wrote when finding the discovery back on August 28.
The exploit worked by taking advantage of the app's "verify a different phone number" option, which was present in version 4.4.4 and earlier. Attackers would need to enter their own email address into the app, but then register the target number of the person they wished to attack. Instead of ejecting the attacker back to the login screen as it should have, the attacker would just have to break a four digit SMS authentication token which could be done via scripts 'brute forcing' the protection.
From there, attackers could potentially change the password, name and email address of the account without triggering any kind of alert.
Fortunately, Microsoft has acted quickly and efficiently to fix the exploit before any harm could come of it, with an update to the app issued less than a month later, on September 17. "The GroupMe team was excellent and very responsive; they maintained close contact throughout the process ... would report again," Saccomanni enthused.
There was no evidence of the exploit being utilized before it was fixed.
