+ Tuesday July 16th, 2019

Nearly every week it seems that some company is found to be having security issues and leaking customer details. This week, in addition to the usual culprit (Facebook), OnePlus is in the news for the wrong reasons.

As part of the OnePlus community experience OnePlus has an app called ‘Shot on OnePlus’. When users take a photo with their OnePlus phone they can upload the image to the ‘Shot on OnePlus’ app after logging into it with their email address. The app is a gallery where other OnePlus users can look at all of the photos that have been uploaded by OnePlus users — the photo can then be set as a wallpaper or downloaded.

The security issue arises in the API that OnePlus use for the ‘Shot on OnePlus’ app. The API can be accessed by anyone with an access token. To get this token you need a key, but the key is a simple alphanumeric string and it is not encrypted. This means it was relatively easy for someone to get into the API if they wanted to.

Exploring the API, someone could see the user email address for that photo. The identification number of that user is also displayed, which can then apparently be cycled through to get to the next user and so on, revealing many email addresses — similar to the way Westpac apps were recently revealed to allow lookups on user identities here in Australia.

It’s unclear whether this was ever exploited by malicious parties, but it also goes to show that users are right to be suspicious of how personal information is stored, used and transmitted by companies.

It also speaks to our culture around security and software development that this API wasn’t designed to obscure user details by default.

To their credit, OnePlus was notified of this issue and updated the API – it’s more difficult to access now without going through the app, and email addresses are now obscured by asterisks. It’s fair to say that their users deserve better, though.

Source: 9to5Google.

Scott Plowman   Editor

Avatar

Scott is our modding guru - he has his finger on the pulse of all things ‘moddable’, pointing us towards all the cutting edge mods hacks that are available. When he’s not gymming it up, or scanning the heck out of Nexus devices, you'll find him on the Ausdroid Podcast.

Outside of Ausdroid, Scott's a health care professional and lecturer at a well known Victorian university.

1
Join the Ausdroid Conversation

avatar
1 Comment threads
0 Thread replies
1 Followers
 
Most reacted comment
Hottest comment thread
1 Comment authors
Berto Recent comment authors
  Subscribe  
newest oldest most voted
Notify of
Tibb So
Ausdroid Reader
Tibb So

If you’re a OnePlus owner then surely you are willing to accept Chinese Gov’t spyware and shouldn’t be too worried about a little data leak.

It would be silly to think that Huawei is the only Chinese phone manufacturer being told what to do by the Chinese Dictatorship.

Check Also

ASUS ROG phone 2 will be powered by the Snapdragon 855 plus

We know the ROG Phone 2 is coming and we know it will be officially …