OnePlus Leaked User Email Addresses via 'Shot on OnePlus' App
OnePlus devices come preloaded with the 'Shot on OnePlus' app that allegedly carries a security flaw revealing email addresses hundreds of its users. The app offers a place to upload photos that can be featured as wallpapers by OnePlus users globally.
However, the API that establishes a link between OnePlus server and the Shot on OnePlus app was allegedly leaking the email addresses associated with photo submissions.
OnePlus was intimated about the flaw in early May, and while a fix was rolled out, more changes are reportedly required before it's completely patched.
The Shot on OnePlus app, accessible through the Wallpapers selection menu, asks users to log in using their email addresses to upload photos. Once uploaded, selected photos get released publicly through the API that was found to offer easy access.
According to a report by 9to5Google, the API required an unencrypted key to retrieve an access token that allowed individuals to view email addresses of users who uploaded their photos.
"It is unclear for how long this leak was happening, but because OnePlus had no reason to make this data public after the application was out, we believe is was leaking data since its release — multiple years, at least," the report notes.
A "gid" is used in the API to identify users, helping find uploaded photos and delete them through the server.
However, it includes two alphabets and unique numbers that could potentially be used to access sensitive data, including the name, email addresses, and countries of the users. It could also be used to modify this information.
Also Read more about:
Did you like what you just read? Leave a comment
No comments:
Post a Comment