wordpress blog stats
Connect with us

Hi, what are you looking for?

‘Shot on OnePlus’ app leaked users’ email addresses and other personal data for years: report

A security flaw in the ‘Shot on OnePlus’ app caused OnePlus to leak the email addresses and other personal information of hundred of its users, 9to5Google reported last week. 9to5Google said it discovered the “somewhat major” vulnerability in the API OnePlus uses for the app a couple of months ago, and that the company had already fixed it. It said it was unclear for how long users’ data had been leaking in this way, but believed it had been happening since the launch of the ‘Shot on OnePlus’ app many years ago.

How the API leaked users’ data

As the name suggests, ‘Shot on OnePlus’ allows users to upload their photos from the phone or from a website (for which they need to be logged in to the OnePlus account) and set user-submitted photos as their wallpaper. Users can also adjust their profile, including their name, country, and email address from the app and the website. OnePlus chooses one photo every day to feature in the app and on the website. According to 9to5Google, the API OnePlus used to make a link between their server and the app was “fairly easy to access” despite carrying private information about users. It said anyone with an access token could “do most actions” with the API. An API, or Application Programming Interface, is a software intermediary that allows two applications to talk to each other.

Apart from people’s emails, the app was also leaking alphanumeric codes called “gids” that OnePlus uses to identify individual users. The code specifies whether a user is from China (CN) or elsewhere (EN) and also includes a unique numerical ID. OnePlus’s API uses this ID to find photos uploaded by a particular user and delete them if required, but it could also be used to get information about a user (name, email, country) for malicious reasons, and even update this information. Because the second part of the code is a simple number, it was possible to find other users very easily by simply cycling through various numbers, the report said.

OnePlus data leaks and breaches

In January 2018, OnePlus said that the credit card details of up to 40,000 users of oneplus.net may have been compromised by an attack on one of its systems. A malicious script was injected into the payment page code at oneplus.net to sniff out users’ credit card information while it was being entered, the company said. It said some users who entered their credit card info on oneplus.net between mid-November 2017 and January 11, 2018, may have been affected.

Prior to that, OnePlus had come under fire in October 2017, after a software engineer discovered that OxygenOS – its version of Android – was sending huge amounts of analytics data to the company. This included the phone’s IMEI number, the phone number, MAC addresses, mobile network names and IMSI prefixes, Wi-Fi connection info, the phone’s serial number, and every app that was ever opened.

Advertisement. Scroll to continue reading.

Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.

Views

News

When news that Walmart would soon accept cryptocurrency turned out to be fake, it also became a teachable moment.

News

The DSCI's guidelines are patient-centric and act as a data privacy roadmap for healthcare service providers.

News

In this excerpt from the book, the authors focus on personal data and autocracies. One in particular – Russia.  Autocracies always prioritize information control...

News

By Jai Vipra, Senior Resident Fellow at Vidhi Centre for Legal Policy The use of new technology, including facial recognition technology (FRT) by police...

News

By Stella Joseph, Prakhil Mishra, and Yash Desai The Government of India circulated proposed amendments to the Consumer Protection (E-Commerce) Rules, 2020 (“E-Commerce Rules”) which...

You May Also Like

News

Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

News

By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

Advert

135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...

News

Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Name:*
Your email address:*
*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ