OnePlus users across the globe got a huge scare this week, when a report highlighted that because of a flaw millions of email IDs are likely to have been exposed.
This issue, first reported by 9to5Google, suggests that OnePlus users were inadvertently sharing their details with the company through the “Shot on OnePlus” watermark and library. These details were unknowingly available to anybody with access to the API codes of the app.
The “Shot on OnePlus” branding is a user ecosystem for photos, which is available to anyone with a OnePlus phone, allowing them to upload their pictures and details like email ID and device type.
Leaving such private information accessible to anyone is slightly concerning, but the report does mention that OnePlus has fixed the issue and users can now breathe a sigh of relief.
What Was the Issue?
The Shot on OnePlus seems to be a big photo community for OnePlus users, with user from India also a big part of it.
The issue with the app, as given in the report, became clearer when a person with access to the Application Program Interface (API) codes of the app, primarily used for hosting photos on the server from the devices, was able to see the email IDs of the users and even their GID (group identifier) number.
GID number can be used to identify users by country and contains a unique alpha-numeric code to search for them in the back-end for details like name, email ID and device they are using.
The APIs are hosted on open.oneplus.net by OnePlus, the report cited.
APIs are an intrinsic part of how apps work on mobile phones and developers have the know-how to fix and tweak them as required. While it would be hard to ascertain the damage exposing of email IDs would have caused to users, it does raise concerns about how OnePlus takes care of security of its users.
Replying to the issue raised by 9to5Google, OnePlus said “OnePlus takes security seriously, and we investigate all reports we receive.” The problem seems to have been fixed, possibly by reworking the API of the app.
Users might feel now that the issue has been sorted, there’s nothing to worry about. However, what bothers us is that the company didn’t proactively inform its users or share this issue publicly earlier, which might have helped its cause greatly.
(At The Quint, we are answerable only to our audience. Play an active role in shaping our journalism by becoming a member. Because the truth is worth it.)