OnePlus found to have sprung a user-data leak through a photography app

The Shot on OnePlus web interface. (Source: OnePlus)
The Shot on OnePlus web interface. (Source: OnePlus)
"Shot on OnePlus" is an initiative by which users can upload their shots via a smartphone app or online. This is done via an API, which, when analyzed, was found to be a ready source of user emails and IDs. The company's response to this situation currently includes an overhaul of this interface.
Deirdre O Donnell,

Shot on OnePlus is a promotional feature used by the OEM in question to highlight the photography attributes of its flagship phones. It has been in existence for several years now, and may allow talented users to see their work on the OnePlus website - and even in its devices' UI. However, it now seems that it may also have been a hazard to the privacy and data security to those same users for all this time.

9to5Google has been investigating this initiative for what it describes as the last few months, and has recently released its findings on the matter. It concerns the Shot on OnePlus API (or application programming interface), which is required to send the data submitted to it (through its smartphone app) back to its servers. The blog now claims that it allowed anyone with access to this interface to see user emails and IDs.

This would not be a problem if the access keys - and tokens required to gain one - were well-encrypted. However, 9to5Google claimed that both of these were alphanumeric codes, and, therefore, circumvented with ease. Thereafter, the blog was apparently able to call up data on individual submissions, all of which require a valid email address to go through to Shot on OnePlus.

These addresses were clearly visible within the response, as was the given user's gid, a unique number assigned to each Shot on OnePlus contributor. 9to5Google's investigators also reported that they had no reason to think that this leak would not have been in effect since the campaign's inception.

On the other hand, contacting the OEM with this information resulted in a rapid amendment to the API so as to obscure the email addresses in question with asterisks. In addition, the blog has reported that its latest attempt to call personal data from the API was blocked due to an "upgrade" (correct at time of writing).

The data in a Shot on OnePlus API response includes email addresses and IDs. (Source: 9to5Google)
The data in a Shot on OnePlus API response includes email addresses and IDs. (Source: 9to5Google)


static version load dynamic
Loading Comments
Comment on this article
Please share our article, every link counts!
> Notebook / Laptop Reviews and News > News > News Archive > Newsarchive 2019 06 > OnePlus found to have sprung a user-data leak through a photography app
Deirdre O Donnell, 2019-06-15 (Update: 2019-06-16)
Deirdre O'Donnell
I became a professional writer and editor shortly after graduation. My degrees are in biomedical sciences; however, they led to some experience in the biotech area, which convinced me of its potential to revolutionize our health, environment and lives in general. This developed into an all-consuming interest in more aspects of tech over time: I can never write enough on the latest electronics, gadgets and innovations. My other interests include imaging, astronomy, and streaming all the things. Oh, and coffee.