“The leak was happening through the Shot On OnePlus app on the company’s smartphones”
OnePlus has been leaking email data of its smartphone users through the ‘Shot on OnePlus’ app, a finding by 9to5Google has revealed. Apparently, the leak was taking place because of a flaw which was communicated to the company in early May but hasn’t been completely patched despite a fix being rolled out. The report also states that the email leak has been taking place since the company released the ‘Shot on OnePlus’ for its smartphones which is a couple of years old.
The Shot on OnePlus app is a platform for users to upload their photos that can be used as other users as wallpapers across the globe. The app would require sign in from users to upload the photos. Now, the publication has found out that the API that links the app and the OnePlus server allowed easy access of user emails because it had an unencrypted key for token access. The API was hosted on open.oneplus.net. As of now, there aren’t any reports of any of this leaked data being misused for now, however, OnePlus shouldn’t take this leak lightly.
OnePlus didn’t initially respond to an email query from the publication but has now provided a statement stating, “OnePlus takes security seriously, and investigate all reports we receive.” Also, the company has silently made changes to the API to fix the flaw and also obscured the email addresses that were previously viewable. OnePlus phones have had a number of security issues in the past as well such as the backdoor issue in OxygenOS which allowed the company to collect sensitive user data back in 2017.