All OnePlus smartphones have a ‘Shot on OnePlus’ app that is accessible when users are selecting wallpapers for their smartphones. It seems this particular app allegedly has been carrying a security flaw due to which email addresses of many users have been revealed, according to a report by 9to5Google.
The ‘Shot on OnePlus’ app basically provides a platform for all OnePlus users to upload photographs shot by them which may get featured as wallpapers. However, as per the report, the API which was used for making a link between their server and the app was leaking the email addresses that were associated with photo submissions. The API needed an unencrypted key to get an access token which would then allow people to see the email addresses of those users who have uploaded their photos on the platform. The particular API was even hosted on open.oneplus.net.
The report further said that the company has been aware of these flaws since early May, but they have not shown any public concern. They also did not disclose that users emails were easily accessible to anyone. Even as a fix has been rolled out, but it requires more changes before the issue is fully addressed.
It is not clear for how long the API was leaking the data, but the report notes that because OnePlus did not make this data public after the app was found faulty, it believes that it was leaking data ever since its release. At least for multiple years.
Apparently, OnePlus initially did not respond to 9to5Google’s email query regarding the security flaw, but it later provided a statement, which read “OnePlus takes security seriously, and we investigate all reports we receive,”. However, it seems OnePlus has secretly made changes to the API to rectify the issue of email address leak, but 9to5Google in its report said that the fixes made to API for the gid flaw can get bypassed.
The ‘gid’ is an alphanumeric code used to identify a user. Users who have logged into the Shot on OnePlus app have a gid in this API. This code is used by OnePlus API to fetch photographs uploaded by a user. It can also be used to fetch user’s information such as name, email country.
According to an update, a fix for this also seems to be in the works, with the modification through the gid presently being blocked. The smartphone maker has also reportedly obscured email addresses through the API by adding asterisks to the username portion and making only the domain area visible. Eg. firstname.lastname@example.org.