One Plus found leaking user data
Chinese smartphone brand OnePlus has been reportedly leaking data of OnePlus phone users for years. According to a report by 9to5 Google, OnePlus has been ‘unknowingly’ leaking crucial personal information of its users publicly for quite a considerable amount of time and it is only when the major security flaw was pointed out to the company recently that it has started to investigate. Here is everything you must know about this breach in privacy.
According to the report, OnePlus has been leaking names and email addresses of hundreds of its users, through the ‘Shot on OnePlus’ application that allegedly carries a security flaw. The app offers you a place to upload photos taken by your OnePlus device to be featured as wallpapers by OnePlus users globally.
As the name suggests, ‘Shot on OnePlus’ allows users to upload their photos from the phone or from a website (for which they need to be logged in to the OnePlus account) and set user-submitted photos as their wallpaper. Users can also adjust their profile, including their name, country, and email address from the app and the website. OnePlus chooses one photo every day to feature in the app and on the website. According to 9to5Google, the API OnePlus used to make a link between their server and the app was “fairly easy to access” despite carrying private information about users. It said anyone with an access token could “do most actions” with the API. An API, or Application Programming Interface, is a software intermediary that allows two applications to talk to each other.
9to5Google said it discovered the “somewhat major” vulnerability in the API OnePlus uses for the app a couple of months ago, and that the company had already fixed it. It said it was unclear for how long users’ data had been leaking in this way, but believed it had been happening since the launch of the ‘Shot on OnePlus’ app many years ago.
The leak was reported taking place because of a flaw which was communicated to the company in early May but hasn’t been completely patched despite a fix being rolled out.