A security flaw in the ‘Shot on OnePlus’ app caused OnePlus to leak the email addresses and other personal information of hundred of its users, 9to5Google reported last week. 9to5Google said it discovered the “somewhat major” vulnerability in the API OnePlus uses for the app a couple of months ago, and that the company had already fixed it. It said it was unclear for how long users’ data had been leaking in this way, but believed it had been happening since the launch of the ‘Shot on OnePlus’ app many years ago.

How the API leaked users’ data

As the name suggests, ‘Shot on OnePlus’ allows users to upload their photos from the phone or from a website (for which they need to be logged in to the OnePlus account) and set user-submitted photos as their wallpaper. Users can also adjust their profile, including their name, country, and email address from the app and the website. OnePlus chooses one photo every day to feature in the app and on the website. According to 9to5Google, the API OnePlus used to make a link between their server and the app was “fairly easy to access” despite carrying private information about users. It said anyone with an access token could “do most actions” with the API. An API, or Application Programming Interface, is a software intermediary that allows two applications to talk to each other.

Apart from people’s emails, the app was also leaking alphanumeric codes called “gids” that OnePlus uses to identify individual users. The code specifies whether a user is from China (CN) or elsewhere (EN) and also includes a unique numerical ID. OnePlus’s API uses this ID to find photos uploaded by a particular user and delete them if required, but it could also be used to get information about a user (name, email, country) for malicious reasons, and even update this information. Because the second part of the code is a simple number, it was possible to find other users very easily by simply cycling through various numbers, the report said.

OnePlus data leaks and breaches

In January 2018, OnePlus said that the credit card details of up to 40,000 users of oneplus.net may have been compromised by an attack on one of its systems. A malicious script was injected into the payment page code at oneplus.net to sniff out users’ credit card information while it was being entered, the company said. It said some users who entered their credit card info on oneplus.net between mid-November 2017 and January 11, 2018, may have been affected.

Prior to that, OnePlus had come under fire in October 2017, after a software engineer discovered that OxygenOS – its version of Android – was sending huge amounts of analytics data to the company. This included the phone’s IMEI number, the phone number, MAC addresses, mobile network names and IMSI prefixes, Wi-Fi connection info, the phone’s serial number, and every app that was ever opened.