Using ‘Shot On OnePlus’ App? Your Email Address Has Probably Been Leaked Along With Hundreds Of Other Users!

Update:

OnePlus has resolved this issue.

Here is the official statement from OnePlus: “OnePlus takes security seriously, and has updated the ShotOnOnePlus experience”

Earlier…

Privacy is an important issue and concerns regarding the same are increasing dramatically, especially after information leaks regularly coming from technology giants like Facebook and Google. Another such information leak comes from the Chinese smartphone giant ‘OnePlus’.

Apparently, OnePlus has been leaking names and email addresses of hundreds of its users, through the ‘Shot on OnePlus’ application that allegedly carries a security flaw, as reported by 9to5Google. It is unclear as to how long the data is being leaked, considerably ever since its release, which sums up to multiple years.

‘Shot On OnePlus’ Leaking Personal Information

If you’re a OnePlus user, you’re probably familiar with Shot on OnePlus. It is an application, which comes preloaded in OnePlus phones. You can upload a photo to it and share it with other OnePlus users for them to download. When users upload a photo on the wallpapers app, the company lets them enter a title, a location, and a description of the image they submit.

It comes to light that the API which connects the app to OnePlus’s server is highly unprotected. It is hosted on open.oneplus.net and to access the information, all it needs an access token, which can easily be acquired by an unencrypted key. Once accessed the API, the access to a heap of personal information, including their names, email addresses, country of residence, phone model and more gets very easy. Along with having access to that information, it can also be changed.

What is worse, is the Shot on OnePlus gid. It is an alphanumeric code, unique for every shot made by the OnePlus user. Once the API is accessed, these party can sway through gid numbers and have their hands on information of any user.

Has OnePlus Been Leaking Information Since Indefinite Years?

OnePlus has been informed about this security flaw by 9to5Google in its report early May. Even after not responding to the said report, OnePlus secretly made changes to the API to rectify the issue of email address leak but even after the fix, the API for the gid flaw can get bypassed.

It isn’t clear for how long the API was leaking the data but since OnePlus didn’t make this data public after the app was found faulty, no one is to say for how long the scam has been going on, possibly since its release, accounting to multiple years. Thankfully, no reports of exploiting user details through the security flaw have surfaced online.

According to an update, a fix for this also seems to be in work, the gid presently being blocked. Email addresses are now obscured on the API, showing asterisks in place of proper address.

This isn’t the first time OnePlus is witnessing a security issue. In October 2017, it had faced public backlash for its OxygenOS that collected unanonymised data without user consent. Even last year, a bootloader problem on OnePlus 6 required a fix. We shall keep you updated on the same.