OnePlus found to have sprung a user-data leak through a photography app

Shot on OnePlus is a promotional feature used by the OEM in question to highlight the photography attributes of its flagship phones. It has been in existence for several years now, and may allow talented users to see their work on the OnePlus website - and even in its devices' UI. However, it now seems that it may also have been a hazard to the privacy and data security to those same users for all this time.

9to5Google has been investigating this initiative for what it describes as the last few months, and has recently released its findings on the matter. It concerns the Shot on OnePlus API (or application programming interface), which is required to send the data submitted to it (through its smartphone app) back to its servers. The blog now claims that it allowed anyone with access to this interface to see user emails and IDs.

This would not be a problem if the access keys - and tokens required to gain one - were well-encrypted. However, 9to5Google claimed that both of these were alphanumeric codes, and, therefore, circumvented with ease. Thereafter, the blog was apparently able to call up data on individual submissions, all of which require a valid email address to go through to Shot on OnePlus.

These addresses were clearly visible within the response, as was the given user's gid, a unique number assigned to each Shot on OnePlus contributor. 9to5Google's investigators also reported that they had no reason to think that this leak would not have been in effect since the campaign's inception.

On the other hand, contacting the OEM with this information resulted in a rapid amendment to the API so as to obscure the email addresses in question with asterisks. In addition, the blog has reported that its latest attempt to call personal data from the API was blocked due to an "upgrade" (correct at time of writing).