According to an exclusive 9to5google site, OnePlus has let logged data by its users in the Shot on OnePlus background app leak through a security hole, including information such as email, country, upload location, name, and other details.
As the app’s own name suggests, the published photos allow branded smartphone users to upload images captured by OnePlus device cameras to be used as wallpapers/wallpapers. However, the images are sent with details and information about the user himself and a loophole in the API allows anyone with access to the token also have access to the users’ data.
In the image below, obtained by 9to5google itself that erased some information of the user in question for ethical reasons and to not allow its identification (like email, social name, country, etc), we see that the company lists more than 15 joint information about the after the moment the picture is posted.
The site makes it clear that there is no way to know how long this leak was going on, “but since OnePlus had no reason to disclose this data after the application was closed, we believe it was leaking data since its release – several years at least. “
Highlighted in the image, the “gid” is described as a user identification number with two letters and six numbers: the letters reveal the country of origin and the unique numbers register the user. This registration allows OnePlus to find a particular user, search for photos in locations more easily or even delete some information if it does not follow the rules of the app.
In an official note to 9to5google, the company was quick to state that “OnePlus takes security seriously, and we are investigating all the reports we receive.” And it looks like the company may already be fixing the error since the service to modify or get account information is blocked, with a note stating that the functionality is being updated.