According to a report by 9to5 Google, OnePlus has been leaking names and email addresses of hundreds of its users, through the ‘Shot on OnePlus’ application that allegedly carries a security flaw. The app offers you a place to upload photos taken by your OnePlus device to be featured as wallpapers by OnePlus users globally.
The leak was reported taking place because of a flaw which was communicated to the company in early May but hasn’t been completely patched despite a fix being rolled out.
“It is unclear for how long this leak was happening, but because OnePlus had no reason to make this data public after the application was out, we believe it was leaking data since its release — multiple years, at least,” the report notes.
OnePlus didn’t initially respond to an email query from the publication but has now provided a statement stating, “OnePlus takes security seriously, and investigate all reports we receive.” Also, the company has silently made changes to the API to fix the flaw and also obscured the email addresses that were previously viewable. OnePlus phones have had a number of security issues in the past as well such as the backdoor issue in OxygenOS which allowed the company to collect sensitive user data back in 2017.
A key vulnerability in the API is a ‘gid’ which is an alphanumeric code used to identify a user. The gid has two parts which are two letters that mark whether a user is from China (CN) or somewhere else (EN) and a unique number like 123456.
As per the report “this ID is used by OnePlus’s API to find photos uploaded by a particular user or to delete them. It could also be used to get information about that user (name, email, country) and even update this information without any real security.”
The report also states that “OnePlus appears to be working on a fix for the API. At the moment, getting and modifying account information is blocked, with the following message appearing: Functionality upgrading, please try again later.”