Over the course of years, OnePlus Brand of smartphones, a Chinese brand, was known to be leaking personal information. This has happened for years since the time Oneplus was released, until now. This incident came into the light recently in the month of June by “9to5 Google”.
According to “9to5 Google”, personal information of Oneplus users, were leaking without their notice. This event has been happening for a long time. Since the majority of users faced this unfortunate breach of security, measures were taken by OnePlus as it came into a highlight.
The Security Flaw; The Problem
The breach of personal information issue originated from an in-built application called “Shot On OnePlus”. This specific application is under the menu of “Wallpapers”. This application allows OnePlus users to submit their images. The biggest flaw of this parameter, is that Oneplus would use these pictures to feature it on the public as well as the official website.
As a result, these pictures could be used by other people across the world, on the internet, like wallpapers.
How this Flaw Happens
Based on a certain algorithm, this oneplus security problem arises. At first, the users need to be signed into their Oneplus account with the help of their personal email addresses. Now, when a user uploads an image on the application, they would be asked to fill the suitable title for the image and the location of the image.
And not only that, they would be asked to give their email addresses too. After this, the data were leaked to the public website through the application.
Possible Cause: Weak Application Programming Interface (API)
Users of OnePlus using this application faced this major flaw of security for a year. The supposed cause for this issue is apparently due to weak functions of the Application Programming Interface, which is a communication protocol between the Application and the Server.
Basically, if the functions or the protocols of the API is weak or does not have the right parameters, then this could happen. API uses a “gid” or “oneplus data collection” to identify the users, which additionally helps them to locate the images. These pictures are deleted from the server itself.
However, there is a minor setback to this huge problem. With the help of two specific alphabets and a set of some unique numbers, images and personal pieces of information can be accessed. These include data like email addresses, locations, and names.
OnePlus Response to This Security Flaw
When this major drawback was noticed, “9to5 Google” had sent a query related to this problem. However, OnePlus was not responsive until recent. In a statement, OnePlus mentions that “OnePlus take security seriously, and we investigate all reports we receive”. After that, the API was changed with additional parameters.
Oneplus decided to bring an update that blocks the bypass. As a result, the gid is said to be blocked currently, with modifications that were made.
The Resulting Outlook Throughout the Problem
As of now, there have been no instances of exploitation of these leaked pieces of information. No such report has been filled yet. However, as an expectation, OnePlus would take this event as an experience for learning and creating a more secure environment in the near future.