Leak in Shot On OnePlus feature made readout of email addresses possible

Spread the love

OnePlus phones have long had a vulnerability that made it possible to retrieve email addresses of users of the Shot On OnePlus feature. This was due to a weakness in the API. The leak has now been repaired.

9to5Google discovered that, which informed OnePlus about the leak. That has now been closed. The leak was in the Shot On OnePlus feature, part of the company’s wallpaper app. Shot On OnePlus featured photos of other OnePlus users to share their own photos as wallpapers with other users. They could do that directly from the app itself, or upload photos to a website. To upload a photo, users had to create an account.

9to5Google discovered that there was a leak in the API behind the feature. To use the api, users had to have a key and an access token, but both consisted of only a short alphanumeric code. That code could be found by looking up the ID of a photo via the api. Moreover, with the api it turned out not only to be possible to request the photo and photo information, but also e-mail addresses.

OnePlus has not yet responded to the find, but has quietly changed the api so that it is no longer possible to retrieve information from the api.

You might also like
Exit mobile version