A couple months ago, we discovered a somewhat major security flaw that affected many OnePlus users. The company had been leaking the email addresses of hundreds of their users through the ‘Shot on OnePlus’ app. The most important issue is fixed now, but here’s a breakdown of how it happened, and what OnePlus still needs to fix.
Shot on OnePlus
If you have a OnePlus device, you might have noticed the ‘Shot on OnePlus’ application, accessible through the Wallpapers selection menu. As the name would suggest, it contains photos uploaded by OnePlus users, allowing you to set them as your current wallpaper. Each day, one new photo appears within the application.
OnePlus appears to be working on a fix for this security issue. See the updates below for more information.
Users can either upload photos from the app itself or from a website. In either case, it is required to be logged in to upload a photo. Users can also adjust their profile including their name, country, and email address from both the app and the website. Finally, when users upload a photo, they can define a title, a location, and a description of the photo. If the photo is selected, it appears publicly in the Shot on OnePlus app and within the Gallery on their website.
When users upload a photo, they can enter a title, a location, and a description of the photo. If the photo is selected by OnePlus, it appears publicly in the Shot on OnePlus app and within the gallery on their website.
What went wrong?
The Shot on OnePlus app uses an API to make a link between their server and the app. Photos and other info that needs to be saved online has to go through this API. Normally, an API, especially one that can be used to retrieve private information about users, is secured in various ways.
Instead, the API used by OnePlus was and is fairly easy to access. Their API — hosted on open.oneplus.net — can be used by anyone with an access token. The access token is required to do most actions with the API. An unencrypted key is required to retrieve the access token, but this is its only purpose. Both the access token and the unencrypted key are alphanumeric codes.
The API is mainly used to get public photos. But as you can see in the following screenshot — which is a response obtained by using the API used by OnePlus — you could find sensitive data that should normally not be accessible publicly.
(To protect the user’s identity, any field that would lead to the identification of this person was blurred.)
It is unclear for how long this leak was happening, but because OnePlus had no reason to make this data public after the application was out, we believe is was leaking data since its release — multiple years, at least. One of the key vulnerabilities with this leak was related to what OnePlus calls a “gid”.
What is the “gid”, and how is it used?
The “gid” is an alphanumeric code used to identify a user. Anyone who has ever logged into the Shot on OnePlus app has a “gid” in this API. It consists of two parts:
- Two letters that mark whether a user is from China (CN) or somewhere else (EN)
- A unique number, like 123456
This ID is used by OnePlus’s API to find photos uploaded by a particular user or to delete them. It could also be used to get information about that user (name, email, country) and even update this information without any real security.
There was also another flaw. Because the second part is a simple number, it was possible to find other users very easily by simply cycling through various numbers.
What did OnePlus do about this?
We contacted OnePlus about these issues but received no direct response. However, they quickly made changes to the API after our email and it is no longer leaking the gid and email of users whose photos are posted publicly.
As for the “gid” flaw, OnePlus added a bit more security to some parts of the API. They now attempt to ensure that the API is only used by the Shot on OnePlus app, but this can be very easily bypassed. Additionally, they now obscure the email address by adding asterisks, for example “firstname.lastname@example.org”.
This isn’t the first first security issue OnePlus has faced on their devices. Back in 2017, Christopher Moore, a software engineer, discovered that OnePlus was collecting personal information about users within an app used for analytics. However, as of today, emails collected by the app are not publicly accessible as far as I know.
In the case of this new issue, OnePlus should completely verify their APIs and update the app on all devices accordingly. They have been aware of these flaws since the beginning of May, but they’ve shown no public concern. They felt no need to disclose that users emails were easily accessible to anyone. In fact, it’s still possible to modify the name, email, homepage and country code of any user. To fix this, OnePlus needs to completely rework their API, and update the ‘Shot on OnePlus’ app.
We’ve reached out to OnePlus for comment on the matter and will update when we hear back.
Update: OnePlus has issued a statement to us on this matter:
OnePlus takes security seriously, and we investigate all reports we receive.
Update 2: OnePlus appears to be working on a fix for the API. At the moment, getting and modifying account information is blocked, with the following message appearing:
Functionality upgrading, please try again later.
Update 3: OnePlus has announced on its forums that it is working on an update for the backend of the Shot on OnePlus Gallery feature.
We are working on upgrading our backend for the Shot on OnePlus Gallery feature. Hence, it will be temporarily unavailable for use. We apologize for this inconvenience and hope to be back online shortly with new version updates and releases.
It’s unclear if this is related to our findings or not, as we never were updated on this matter.