Shot on OnePlus feature was reportedly leaking email IDs of users online

By Digit NewsDesk | Published on 16 Jun 2019
HIGHLIGHTS
  • OnePlus was reportedly leaking email id of users who uploaded images on the Shot on OnePlus app.

  • The company has taken note and is said to be patching the API that was leaking the info.

Shot on OnePlus feature was reportedly leaking email IDs of users online

Update June 18, 2019: OnePlus has updated the Shot on OnePlus experience to fix the problem. In an emailed statement, the company said, "OnePlus takes security seriously, and has updated the ShotOnOnePlus experience."

If you use a OnePlus smartphone might have noticed a ‘Shot on OnePlus’ application, which can be accessed via the wallpaper selection menu. The feature enables OnePlus users to set images as wallpapers that were captured via OnePlus phones, and a new wallpaper is added to it every day. 9to5Google has reported discovering a major bug in the option that is leaking email id of users online. OnePlus is said to use an API to facilitate connectivity between its server and the Shot on OnePlus app. This API is hosted on open.oneplus.net and is reportedly insecure as it can be accessed by anyone who has an access token. This access token can apparently be retrieved via an unencrypted key and the token and the key is said to be alphanumeric codes. 

The API is used to fetch public images uploaded by users but as per a screenshot of it in action, it also displays their sensitive information like email id, upload location and time. The main issue arises due to a ‘gid’ used by the API to identify a user. Every user has a unique gid assigned to them and it can be used by OnePlus’s API to find and/or delete photos uploaded by a particular user. It can also be used to get information on a user like their email id, name and country. Since this id uses a unique number, one can cycle through the numbers to find other users. 

OnePlus was informed about the flaw and the company made some changes to the API to plug the gid leak. “OnePlus takes security seriously, and we investigate all reports we receive,” OnePlus said in a statement. The API is no longer displaying email id of users whose images are publicly posted and currently, the company seems to be working on fixing it as trying to access information is said to be blocked.

OnePlus 7 Pro 128GB Key Specs, Price and Launch Date

Price:
Release Date: 14 May 2019
Variant: 64GB , 128GB , 256GB
Market Status: Launched

Key Specs

  • Screen Size Screen Size
    6.7" (3120 x 1440)
  • Camera Camera
    48 + 16 + 8 | 16 MP
  • Memory Memory
    128GB/6GB
  • Battery Battery
    4000 mAh
logo
Digit NewsDesk

The guy who answered the question 'What are you doing?' with 'Nothing'.

email

Advertisements

Trending Articles

Advertisements

LATEST ARTICLES View All

Advertisements

Hot Deals View All

Redmi 9A (Sea Blue, 3GB Ram, 32GB Storage) | 2GHz Octa-core Helio G25 Processor
Redmi 9A (Sea Blue, 3GB Ram, 32GB Storage) | 2GHz Octa-core Helio G25 Processor
₹ 7499 | $hotDeals->merchant_name
Redmi 9 Prime (Matte Black, 4GB RAM, 128GB Storage) - Full HD+ Display & AI Quad Camera
Redmi 9 Prime (Matte Black, 4GB RAM, 128GB Storage) - Full HD+ Display & AI Quad Camera
₹ 10999 | $hotDeals->merchant_name
Redmi Note 9 Pro Max (Interstellar Black, 6GB RAM, 64GB Storage) - 64MP Quad Camera & Alexa Hands-Free Capable
Redmi Note 9 Pro Max (Interstellar Black, 6GB RAM, 64GB Storage) - 64MP Quad Camera & Alexa Hands-Free Capable
₹ 14999 | $hotDeals->merchant_name
Samsung Galaxy M31 (Ocean Blue, 8GB RAM, 128GB Storage)
Samsung Galaxy M31 (Ocean Blue, 8GB RAM, 128GB Storage)
₹ 16999 | $hotDeals->merchant_name
DMCA.com Protection Status