tech2 News StaffJun 17, 2019 11:43:10 IST
Chinese smartphone maker OnePlus had earlier had scruffs with data leaks back in 2017 when it was found that the company was collecting detailed information about users' data without their permission. Now it appears OnePlus is back in the news again with more data leaks and this time it concerns in the Shot on OnePlus app.
The app offers you a place to upload photos taken by your OnePlus device to be featured as wallpapers by OnePlus users globally. However, as per a 9to5Google report, it would seem that that API which made the connection between the app and OnePlus server was leaking important user data such as email addresses, names and countries associated with the users who shared the photos.
The API, which was hosted on open.oneplus.net, is quite easy to access with an access token, said the report. "It is unclear for how long this leak was happening, but because OnePlus had no reason to make this data public after the application was out, we believe it was leaking data since its release — multiple years, at least," the report notes.
A key vulnerability in the API is a 'gid' which is an alphanumeric code used to identify a user. The gid has two parts which are two letters that mark whether a user is from China (CN) or somewhere else (EN) and a unique number like 123456.
As per the report "this ID is used by OnePlus’s API to find photos uploaded by a particular user or to delete them. It could also be used to get information about that user (name, email, country) and even update this information without any real security."
Currently, there have been no reports of user data being exploited by this flaw.
When 9to5Google asked OnePlus about this flaw, the company said "OnePlus takes security seriously, and we investigate all reports we receive."
The report also states that "OnePlus appears to be working on a fix for the API. At the moment, getting and modifying account information is blocked, with the following message appearing: Functionality upgrading, please try again later."
Find our entire collection of stories, in-depth analysis, live updates, videos & more on Chandrayaan 2 Moon Mission on our dedicated #Chandrayaan2TheMoon domain.