‘Shot on OnePlus’ Is Reported To Leak Users Emails

According to a report from 9to5Mac, the ‘Shot on OnePlus’ app has a security flaw that revealed its users’ emails. The app is available on every OnePlus phones and it is accessible whenever users are trying to select their phones’ wallpapers.

This app on OnePlus phones is basically a platform allowing users to upload photos taken by them and feature those photographs as wallpapers for other phones. Nevertheless, as in the report, it is believed that the API used for creating a link within the app and the server was responsible for leaking emails that were in association with photograph submissions. An unencrypted key is needed by the API in order for it to retrieve the access token. This token will later let any strangers see the uploaders’ email addresses. This specific API was hosted on the website open.oneplus.net.

It is reported that this company has the knowledge of its flaw since May, yet they did not attempt to show any concern towards the problem. They didn’t even try to warn users that their emails were being publicly seen. Much as a bug fix has been carried out, this problem requires more than just that for it to be fully solved.

We don’t know for sure how long this leaking has been happening. However, the report stated that since the company did not public the data after the event that the app was found to have a flaw, we have all the reasons to believe that this leaking situation has been happening ever since the first release of the application. And this counts for a certain number of years.

It is obvious that OnePlus did not have any intention of replying to the email reporting their security flaw in the first place. Nonetheless, after a while, the company decided to make a statement saying that they will take their security problem seriously and that they will investigate each and every report that is sent to them. It seems that OnePlus has made some changes regarding the API in secret in order to fix the leaking issue, yet 9to5Google still affirm that those fixes can still get bypassed.

As in a new update has stated, a new fix for this problem seems to be working, regarding the act of modifying through the gid is being blocked at the moment. The Chinese smartphone maker has also obscured emails through the API. They added only parts of the username and made the domain the only visible area: a*****@xyzmail.com.