In April, 9to5Google discovered the ‘Shot on OnePlus’ service failed to shield uploaders’ personal information from prying eyes. When the website contacted OnePlus about the security oversight, the company fixed the problem without issuing an official statement on the matter.
Because the ‘Shot on OnePlus’ service is community-driven wallpaper section on OnePlus smartphones, it requires users to log into their OnePlus account before they can make a submission. Uploaders can modify their profile information (name, country, email), as well as add a title, a location and a description of the photo they’re uploading. After that, OnePlus servers host the images for the community wallpaper service to retrieve.
In most cases, the retrieval process goes through a well-written API sitting between the servers and the wallpaper service to make sure nothing sensitive leaks through the information exchange. That was, unfortunately, not the case for OnePlus.
9to5Google found out they could easily breach the API and do things OnePlus wouldn’t like. For example, the website found it could obtain a user’s email address and, worse, their internal identification number. With that, 9to5Google believes it could track down any uploader and change their stored name, email and country without much issue.
It is unclear if hackers could capitalize on the vulnerability to maliciously alter the uploaders’ profiles or just mess with the photos’ background information.
This is the second time that OnePlus had a publicly known security problem. In 2017, a software engineer discovered the smartphone maker collected personal information using an analytics app.