OnePlus app's flaw leaked user email addresses: Here's how
An app built into OnePlus phones leaked email addresses of hundreds of people. The program, dubbed Shot on OnePlus, had a flaw which exposed the information, without giving the users an idea about what had been happening. OnePlus released a fix for the issue after learning about it last month. Here's everything you need to know.
Shot on OnePlus: A way to share photos with world
In the Wallpapers menu of OnePlus devices, users get a 'Shot on OnePlus' section to share their photos - be it a landscape or something else - with the world. Every day, the company selects one particular photo from what the users share and features it in the 'Shot on OnePlus' app so that others could use it as their wallpaper.
However, this capability had a critical flaw
Any user uploading their photograph through 'Shot on OnePlus' is required to provide basic information, like their name and email, as well as the title and description of the photo that is being uploaded. Once that's done, the app uses an API to link the app with OnePlus server and save all the information online. But, in this case, this API wasn't properly secured.
Issue with the API
The folks at 9To5Google found that anyone could have used an alphanumeric code, an unencrypted key, to retrieve the access token required to use the API and access the information passing through it to the server, including email addresses of users whose photos were featured.
Now, the issue has been fixed
While there's no way to say how long Shot on OnePlus leaked addresses this way and if anyone accessed the information, OnePlus has issued a fix for the flaw. The company made changes to the API last month itself to fix the bug and even started using asterisks to mask user emails and keep them from being compromised.
More issues seen in API
Notably, 9To5Google claims that the security improvements introduced with the latest API fix can be bypassed, but OnePlus has reassured its users that it is also working on a patch to change that.