If you have a smartphone from OnePlus, you would know that the smartphones come preloaded with the ‘Shot on OnePlus’ app. Today, a report has surfaced online that claims that a security flaw has been found in the app that has revealed email IDs of hundreds of users. For those unaware, we should mention that the app is a place where users can upload interesting shots that have been clicked by their OnePlus device so that other users can pick them for wallpapers of their own handsets.
However, the report says that the API that establishes the link between the OnePlus server and the app was leaking the email IDs that were linked with these photo submissions. The company was made aware of the security flaw in May this year. While the smartphone maker has rolled out a fix for the bug, more changes are required to make sure that it is completely rectified.
Any user who wishes to upload photos to the ‘Shot on OnePlus’ app needs to submit his email ID before he does so. Once these images are uploaded, the photos that are selected are released to all OnePlus users via the API that was found to have the security flaw. The report about this first surfaced on 9to5Google, and it revealed that the API required an unencrypted key to retrieve an access token. This lets people view the addresses of those who uploaded the images. It is worth adding that the API was hosted on open.oneplus.net.
The report further adds, “It is unclear for how long this leak was happening, but because OnePlus had no reason to make this data public after the application was out, we believe is was leaking data since its release — multiple years, at least.”
We should add that a ‘gid’ is needed in API to identify users, find photos and delete them on the server. However, this is comprised of two alphabets and unique numbers that can be used to access sensitive data like the name, email IDs, countries from users are uploading images and more. It can also potentially modify the information.
The only thing that OnePlus has said about this security flaw is, “OnePlus takes security seriously, and we investigate all reports we receive.” But then, it is worth adding that the company has made a few changes to the API in order to fix the flaw that led to the leaking of the email IDs. However, the report in 9to5Google also adds that the fixes made can be bypassed too.
As of now, there are no reports regarding the user details being exploited that have surfaced. OnePlus is also expected to take learning out of this experience and implement a better security system on its platform.
For the latest gadget and tech news, and gadget reviews, follow us on Twitter, Facebook and Instagram. For newest tech & gadget videos subscribe to our YouTube Channel. You can also stay up to date using the Gadget Bridge Android App.
