OnePlus was inadvertently leaking user email addresses from the Shot on OnePlus app

Nearly every week it seems that some company is found to be having security issues and leaking customer details. This week, in addition to the usual culprit (Facebook), OnePlus is in the news for the wrong reasons.

As part of the OnePlus community experience OnePlus has an app called ‘Shot on OnePlus’. When users take a photo with their OnePlus phone they can upload the image to the ‘Shot on OnePlus’ app after logging into it with their email address. The app is a gallery where other OnePlus users can look at all of the photos that have been uploaded by OnePlus users — the photo can then be set as a wallpaper or downloaded.

Ausdroid is Advertising Supported

The security issue arises in the API that OnePlus use for the ‘Shot on OnePlus’ app. The API can be accessed by anyone with an access token. To get this token you need a key, but the key is a simple alphanumeric string and it is not encrypted. This means it was relatively easy for someone to get into the API if they wanted to.

Exploring the API, someone could see the user email address for that photo. The identification number of that user is also displayed, which can then apparently be cycled through to get to the next user and so on, revealing many email addresses — similar to the way Westpac apps were recently revealed to allow lookups on user identities here in Australia.

It’s unclear whether this was ever exploited by malicious parties, but it also goes to show that users are right to be suspicious of how personal information is stored, used and transmitted by companies.

It also speaks to our culture around security and software development that this API wasn’t designed to obscure user details by default.

To their credit, OnePlus was notified of this issue and updated the API – it’s more difficult to access now without going through the app, and email addresses are now obscured by asterisks. It’s fair to say that their users deserve better, though.

Last modified on 15 June 2019 11:06 am

" Scott Plowman : Scott is our modding guru - he has his finger on the pulse of all things ‘moddable’, pointing us towards all the cutting edge mods hacks that are available. When he’s not gymming it up, or scanning the heck out of Nexus devices, you'll find him on the Ausdroid Podcast. Outside of Ausdroid, Scott's a health care professional and lecturer at a well known Victorian university.."

View Comments (1)

  • If you're a OnePlus owner then surely you are willing to accept Chinese Gov't spyware and shouldn't be too worried about a little data leak.

    It would be silly to think that Huawei is the only Chinese phone manufacturer being told what to do by the Chinese Dictatorship.

Leave a Reply

Your email address will not be published. Required fields are marked*