Nearly every week it seems that some company is found to be having security issues and leaking customer details. This week, in addition to the usual culprit (Facebook), OnePlus is in the news for the wrong reasons.
As part of the OnePlus community experience OnePlus has an app called ‘Shot on OnePlus’. When users take a photo with their OnePlus phone they can upload the image to the ‘Shot on OnePlus’ app after logging into it with their email address. The app is a gallery where other OnePlus users can look at all of the photos that have been uploaded by OnePlus users — the photo can then be set as a wallpaper or downloaded.
The security issue arises in the API that OnePlus use for the ‘Shot on OnePlus’ app. The API can be accessed by anyone with an access token. To get this token you need a key, but the key is a simple alphanumeric string and it is not encrypted. This means it was relatively easy for someone to get into the API if they wanted to.
Exploring the API, someone could see the user email address for that photo. The identification number of that user is also displayed, which can then apparently be cycled through to get to the next user and so on, revealing many email addresses — similar to the way Westpac apps were recently revealed to allow lookups on user identities here in Australia.
It’s unclear whether this was ever exploited by malicious parties, but it also goes to show that users are right to be suspicious of how personal information is stored, used and transmitted by companies.
It also speaks to our culture around security and software development that this API wasn’t designed to obscure user details by default.
To their credit, OnePlus was notified of this issue and updated the API – it’s more difficult to access now without going through the app, and email addresses are now obscured by asterisks. It’s fair to say that their users deserve better, though.