OnePlus has reportedly leaked out email addresses of hundreds of their users for multiple years through the ‘Shot on OnePlus’ wallpapers app. According to a report by 9to5Google, the API which establishes a link between OnePlus server and the ‘Shot on OnePlus’ app found leaking the email addresses associated with the photos. It essentially allows users to submit images with details to feature as wallpapers for everyone, and get credit for it.
When users upload a photo on the wallpapers app, the company lets them enter a title, a location, and a description of the image they submit. Then the photo gets evaluated and approved by the company. It then appears publicly as a wallpaper and gets available to all the users. It also appears within the gallery on the company’s website.
“It is unclear for how long this leak was happening, but because OnePlus had no reason to make this data public after the application was out, we believe is was leaking data since its release – multiple years, at least,” noted report.
In early May, the Chinese company was reportedly informed about the security flaw. However, the issue didn’t get resolve despite the fix. Now it appears, the company indeed silently leaked email addresses of the app users. As per report, a “gid” in the API is used to identify users. It had two alphabets and unique numbers that could potentially be used to access sensitive data, including the name and email addresses.
Watch Video: OnePlus 7 Pro First Look
Having said that, no user has so far reported about the details being exploited through this security flaw. Also, the report mentions that emails collected by the app are not publicly accessible. The company initially didn’t respond to 9to5Google. But later provided a statement noting that the, “OnePlus takes security seriously, and we investigate all reports we receive.”