If you’ve been a fan of OnePlus’ Shot on OnePlus wallpaper app and you’ve been uploading photos to it for the past months, your email might have been unknowingly leaked by the company. It appears that there was a security flaw in the API they used for the app and it has taken the company months to respond to it after a news website called their attention to it. While they’re now taking steps to fix this error, they have not made any move to inform users that their sensitive data may have been exposed.
9 to 5 Google discovered this security flaw on the Shot on OnePlus app’s API and called the attention of the company but did not receive an immediate response. But immediately after they sent the email, the API was no longer “leaking” the gid and email of users. They eventually made a statement that they are taking this seriously and they are investigation reports they receive. They also are working on a fix to the API as getting and modifying account information is currently blocked.
If you’re not familiar with the Shot on OnePlus app, it allows users to upload photos so other users can use them as wallpapers if they wanted to. Every day, one new photo appears within the app and it can include the name, country, and email address of users if they wanted that information. But you are required to log in to the app in order to be able to upload a photo. If your photo gets chosen, it will of course appear publicly on the app and in a gallery on their website.
But what happened was the API that they used to make a link between the server and the app was very easily accessed by anyone with an access token. There are some technical details to this but basically the sensitive data like the email addresses and the “gid” or alphanumeric code was easily accessible. And so the email addresses of users who uploaded photos to the app could potentially be accessed.
We’re still waiting for OnePlus to inform users about what happened but you can read all about it on the 9 to 5 Google article. Hopefully, no one will use this information nefariously, but these days, you can never be too sure.