Affiliate links on Android Authority may earn us a commission. Learn more.
Report: The Shot on OnePlus app leaked 'hundreds' of email addresses
- The Shot on OnePlus app contains a security flaw.
- The flaw exposed users’ names, countries, and email addresses.
- OnePlus somewhat addressed the security flaw.
According to a 9to5Google report published earlier today, a security flaw caused “hundreds” of email addresses to leak through the Shot on OnePlus app. OnePlus pre-installs the app on the OnePlus 7 Pro and other OnePlus phones.
As the name suggests, Shot on OnePlus shows other people’s photos and lets you upload your own. When you upload a photo, you can change its title, location, and description. Shot on OnePlus requires a login for photo uploads, with users able to change their profile names, countries, and email addresses within the app and website.
Unfortunately, 9to5Google found an API — mainly used to get public photos and make the link between the app and OnePlus’ servers — to be easy to access and without typical API securities. Hosted on open.oneplus.net, the API is accessible to anyone with an access token and seemingly contains sensitive user data.
Making matters worse is the “gid” in the API. The gid is an alphanumerical code that lets the API identify specific users. It’s comprised of two parts: two letters that reveal where a user is from and a unique number. For example, CN472834 is a user from China and EN593874 is a user from somewhere else.
The vulnerable API uses the gid to find a user’s uploaded photos or delete said photos. The API also uses the gid to get a user’s information, such as their name, country, and email, and update that information.
As if that wasn’t bad enough, you could cycle through a gid’s numbers to find other users.
The good news is the API no longer leaks the gid and email addresses of those who publicly upload photos. OnePlus also made it so only the Shot on OnePlus app uses the API, though 9to5Google notes that can be easily bypassed. Finally, the API obscures email addresses with asterisks.
Android Authority reached out to OnePlus for comment but didn’t receive a response by press time.