OnePlus is no stranger to cases of security breach and today we are aware of one more. At issue is the “Shot on OnePlus” application which, according to 9to5 Google, has shared hundreds of emails from its users.
The “Shot on OnePlus” application comes pre-installed on Chinese brand smartphones. With this application you can access photos taken by other OnePlus users and still share ours. The only requirement is that the photos were taken with a branded smartphone.
To upload a photo you need to share various information such as title, location and description. Another requirement is to have an account that, of course, contains data such as our name, country and email address.
What information is being shared?
This security breach is enabling users with access to a OnePlus API to be aware of the personal data of the users of the Shot on OnePlus application. Since this API is available on a public server, anyone could have access to all of this data.
The API responsible for this security flaw bridges the server and “Shot on OnePlus” application. All photos shared in this application must pass through this API. Anyone with token access to this API could easily access user data.
This security flaw allows users to be identified
To make matters worse, OnePlus has a protocol that allows you to identify each of your users. This protocol is known as “gid” and consists of two letters and a set of numbers.
The letters refer to the country of origin of the user. In the case of being from China have the letters CN, but if it is from any other location we have the letters EN. Already the numbers are composed by six numbers. This “gid” is generated as soon as any user logs into the “Shot on OnePlus” application.
These codes are designed so that the Chinese company is able to identify those responsible for each photograph. This information is mainly used in cases where OnePlus intends to delete a particular photograph.
OnePlus already solved the problem
After coming across this scenario, 9to5 Google has contacted OnePlus. Although they have not received any response, it is noted that the Chinese company has already taken steps to protect the data of its users.
Now, the e-mail addresses that can be obtained by exploiting this API are appearing masked by asterisks. In addition, such “gid” is no longer shared in case of exploiting this security flaw.
This is not the first case of security holes in OnePlus applications. In 2017 it was discovered that another Chinese app would be sharing sensitive information from its users. This new case shows us that OnePlus should be more careful with the security protocols of its software.