Not too long ago, experts discovered a huge security flaw in OnePlus devices. According to reports, the tech company used the Shot on OnePlus app to leak user email addresses in the hundreds!
Although the company fixed the main problem, there’s still a lot of controversy surrounding the whole scandal. That’s why we’re sharing a breakdown of how OnePlus leaking user emails happened and what other threats OnePlus needs to fix.
How Does the Shot On OnePlus App Work?
The Shot on OnePlus feature is a standard feature in most if not all OnePlus devices, and it’s right on the Wallpapers section of the main menu. This feature basically contains all the photos that you’ve uploaded onto your device so you can use them as your wallpaper. Usually, a different photo appears every day.
You can upload photos you like from a website or from the app itself. Either way, you will have to upload a photo. The app also allows you to change your profile credentials including your email address, country, name etc. straight from the app or website.
This means you can put all of those details next to each photo that you upload as part of the photo description. Once you select the photo, it shows up visibly on the Shot on OnePlus app and website gallery.
On a basic level, this is how they discovered OnePlus leaking user emails.
What is the Issue?
Basically, the Shot on OnePlus app has the ability to connect to the company’s server through the API. This means every photo you upload is processed through this API before you can save it online. Now, there are many different methods that you can use to secure private user information through an API.
The problem with OnePlus leaking user emails is that the API made it super easy for anyone to access user emails. This is mainly because it’s hosted on the company’s domain which was available to anyone with an access token. This is the same access token that a user would need to perform most of the other actions within the API. The worst part is that accessing the token requires an unencrypted key in alphanumeric codes.
The main intention of the API is to access public photos. This means you could use it to access sensitive information that would otherwise be unavailable to public users.
There’s no telling how long this leak happened for mainly because OnePlus didn’t have to publicize this information after they released the application. However, there’s reason to believe that the leak occurred from the app’s release, which would amount to several years.
One of the main causes for this leak was a vulnerability known as “gid” according to OnePlus.
What is Gid?
The “gid” is basically a user identifying alphanumeric code and every Shot on OnePlus app users would get the “gid” through the API.
It basically comes in two aspects, namely:
- There are two letters which show where the user is from. It’s CN for China and EN for elsewhere.
- Then there’s a unique number such as 123456.
The OnePlus API would use this ID to access or delete uploaded photos from certain users. The same ID can also be used to access user credentials and data including their name, email, and location. The company could even use this information to update its data without considering the security ramifications.
Another major error that made OnePlus leaking user emails possible was the fact that the numeric part made it super easy to find users by searching through the numbers.
Has OnePlus Reacted to This?
When researchers initially reached out to OnePlus about this problem, they couldn’t get a straight answer from the company. But, OnePlus started changing the API shortly after this interaction to eliminate the leaks. This means that user credentials such as email addresses are no longer publicly listed when they upload photos.
OnePlus boosted security to cover up the “gid” flaw as well. As a result, OnePlus only uses the API for the Shot on OnePlus app. It’s worth noting that any talented hacker can easily bypass this flimsy excuse for a security measure. However, they do try to hide the email address through the use of asterisks, for instance, na****@gmail.com.
Final Thoughts
OnePlus leaking user emails isn’t the first security issue that was discovered. Take, for example, the 2017 incident where software engineer Christopher Moore found out that OnePlus used its own analytics app to collect personal user information. But, most of those emails have since been made private after the discovery was made.
What OnePlus needs to do is verify all of their APIs and make sure that the app is up to date. They can do this by releasing a relevant update to all users since they are aware of these errors.
What’s sad is that the company isn’t as proactive as users would like. Even now, anyone can alter the credentials of any user through the company’s public API, which is why it’s important for them to find an effective solution to secure the Shot on OnePlus app.
What do you think of OnePlus leaking user emails? Let us know in the comments below!
