12 June 2019
An app available by default in OnePlus phones was reportedly leaking email addresses. Spotted by 9to5Google, it was the “Shot on OnePlus” app that came into the highlight for publically disclosing the emails of the users. The app lets you change the wallpapers of your phone. Those who want to showcase their photography make use of this app and upload wallpapers to this app so that others could see and use it as well.
OnePlus has now made changes to where it was required. But it looks like who knew the access might have already taken advantage of it. Below is the brief on what happened exactly.
Users who upload photos to Shot on OnePlus from the phone require to log in first and hence they need to enter their email address as well. The use of credentials associated with the photos submissions appears to be no harm but unfortunately, the app was leaking these emails for those who had easy access to it or who knew how to get into it with the mere right token.
The culprit here is the API which was reportedly designed by OnePlus in such a way that it becomes easy for someone to get the hold of email addresses from Shot on OnePlus. The API on open.oneplus.net was hosted without typical API securities, thus making easier access for anyone with the right token.
The “gid” available in the API makes it worse since it includes the alphanumerical code that lets the API identify specific users. For instance, it tells where this particular user lives. The tech publication, 9to5Google explains, the gid includes two parts – two letters that tell whether a user is from China (CN) or somewhere else (EN), and a unique number, like 123456. According to the report, this ID is used by OnePlus’s API to find photos uploaded by a particular user or to delete them.
As per the report, “this information could also be used to get information about that user (name, email, country), and even update this information without any real security.”
Needless to say, with the help of the second part of the gid, it was also easier to look for other users.
9to5Google reached out to OnePlus and explained them the issue but it received no direct response. However, the company quickly made changes to the API after their email. The API is now no longer leaking the gid and email of the users and the company has also added a bit more security to some parts of the API, though 9to5Google notes that can be easily bypassed. OnePlus has now also added asterisks in the email addresses.