OnePlus Leaked Email Addresses via 'Shot on OnePlus' App 6b191r Report

The security issue existed through the API that listed email addresses of individuals. 6nd3b

By Jagmeet Singh | Updated: 17 June 2019 11:31 IST

OnePlus Leaked Email Addresses via 'Shot on OnePlus' App: Report

OnePlus was reportedly intimated about the flaw in early May, and has pushed a fix 5j594r

Highlights

The API behind Shot on OnePlus app was the prime cause of the flaw
It was reportedly accessible through an unencrypted key
OnePlus is said to have silently fixed the issue

ment

OnePlus devices come preloaded with the 'Shot on OnePlus' app that allegedly carries a security flaw revealing email addresses hundreds of its s. The app offers a place to photos that can be featured as wallpapers by OnePlus s globally. However, the API that establishes a link between OnePlus server and the Shot on OnePlus app was allegedly leaking the email addresses associated with photo submissions. OnePlus was intimated about the flaw in early May, and while a fix was rolled out, more changes are reportedly required before it's completely patched.

The Shot on OnePlus app, accessible through the Wallpapers selection menu, asks s to using their email addresses to photos. Once ed, selected photos get released publicly through the API that was found to offer easy access. According to a report by 9to5Google, the API required an unencrypted key to retrieve an access token that allowed individuals to view email addresses of s who ed their photos. The API was hosted on open.oneplus.net.

"It is unclear for how long this leak was happening, but because OnePlus had no reason to make this data public after the application was out, we believe is was leaking data since its release — multiple years, at least," the report notes.

A "gid" is used in the API to identify s, helping find ed photos and delete them through the server. However, it includes two alphabets and unique numbers that could potentially be used to access sensitive data, including the name, email addresses, and countries of the s. It could also be used to modify this information.

OnePlus initially didn't respond to the email query sent by 9to5Google related to the security issues, but later provided a statement "OnePlus takes security seriously, and we investigate all reports we receive." The company offered the same statement to Gadgets 360 when ed. Nonetheless, it has silently made a list of changes to the API to fix the flaw leaking email addresses, though 9to5Google reports that the fixes made to the API for the gid flaw can be byed -- an update adds that a fix for this also appears to be in the works, with modification via gid currently blocked. The company has also reportedly obscured email addresses available through the API by adding asterisks to their local parts and making only the domain part visible.

Thankfully, no reports of exploiting details through the security flaw have surfaced online. It is also expected that OnePlus would use the discovery as a learning experience to implement more robust security measures on its offerings. We reached out to OnePlus for clarity on the fix, and were given this statement, "OnePlus takes security seriously, and has updated the ShotOnOnePlus experience."

This notably was not the first time when a security issue has been spotted on OnePlus devices. Back in October 2017, the Shenzhen-based company had faced public backlash for an issue within its received a fix shortly.

Comments

For the latest reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.