OnePlus has been reportedly leaking email addresses of multiple users via its Shot on OnePlus application. The app contains a security flaw that has revealed email ID of hundred of users.
As per a report by 9to5Google, the app uses an API to make contact between the server and the application. Generally, these kinds of APIs are used to store photos and other information on the server and are protected in various ways. However, the API used by OnePlus was quite easy to access and can be used by anyone with an access token. The report highlights that the unencrypted key allowed anyone to view email addresses of the users who have uploaded their photos. The API was hosted on open.oneplus.net.
“It is unclear for how long this leak was happening, but because OnePlus had no reason to make this data public after the application was out, we believe it was leaking data since its release — multiple years, at least,” the report notes.
The report claims that the leak was related to a “gid”. This is basically an alphanumeric code used to identify a user. It consists of two letters marked as CN (for China users) and EN (for other users) along with a unique number. This ID is used by OnePlys to find photos uploaded by a particular user or to delete it. The ID is also used to get information like name, email and country. The flaw allows anyone to update the information without any real security, the report notes.
OnePlus has acknowledged this flaw and said, “OnePlus takes security seriously, and we investigate all reports we receive.” The company is currently working on a fix for the API and currently, the account information is blocked with a following message, “Functionality upgrading, please try again later.”