OnePlus devices come preloaded with the 'Shot on OnePlus' app that allegedly carries a security flaw revealing email addresses hundreds of its users. The app offers a place to upload photos that can be featured as wallpapers by OnePlus users globally. However, the API that establishes a link between OnePlus server and the Shot on OnePlus app was allegedly leaking the email addresses associated with photo submissions. OnePlus was intimated about the flaw in early May, and while a fix was rolled out, more changes are reportedly required before it's completely patched.
The Shot on OnePlus app, accessible through the Wallpapers selection menu, asks users to log in using their email addresses to upload photos. Once uploaded, selected photos get released publicly through the API that was found to offer easy access. According to a report by 9to5Google, the API required an unencrypted key to retrieve an access token that allowed individuals to view email addresses of users who uploaded their photos. The API was hosted on open.oneplus.net.
"It is unclear for how long this leak was happening, but because OnePlus had no reason to make this data public after the application was out, we believe is was leaking data since its release — multiple years, at least," the report notes.
A "gid" is used in the API to identify users, helping find uploaded photos and delete them through the server. However, it includes two alphabets and unique numbers that could potentially be used to access sensitive data, including the name, email addresses, and countries of the users. It could also be used to modify this information.
OnePlus initially didn't respond to the email query sent by 9to5Google related to the security issues, but later provided a statement "OnePlus takes security seriously, and we investigate all reports we receive." The company offered the same statement to Gadgets 360 when contacted. Nonetheless, it has silently made a list of changes to the API to fix the flaw leaking email addresses, though 9to5Google reports that the fixes made to the API for the gid flaw can be bypassed -- an update adds that a fix for this also appears to be in the works, with modification via gid currently blocked. The company has also reportedly obscured email addresses available through the API by adding asterisks to their local parts and making only the domain part visible.
Thankfully, no reports of exploiting user details through the security flaw have surfaced online. It is also expected that OnePlus would use the discovery as a learning experience to implement more robust security measures on its offerings. We reached out to OnePlus for clarity on the fix, and were given this statement, "OnePlus takes security seriously, and has updated the ShotOnOnePlus experience."
This notably was not the first time when a security issue has been spotted on OnePlus devices. Back in October 2017, the Shenzhen-based company had faced public backlash for an issue within its OxygenOS that helped it collect unanonymised data without any user consent. The company was also in the headlines last year for a bootloader vulnerability on the OnePlus 6 that received a fix shortly.