“Shot on OnePlus” API was unprotected and exposed users’ email addresses
OnePlus’s “Shot on OnePlus” service, which comes with OnePlus devices by default, contained a security flaw that was just disclosed the other day. The flaw, discovered by 9to5Google, made it possible to grab the email addresses of users who uploaded pictures to the service. OnePlus has since partially rectified the issue by obscuring user emails and adding extra checks to the API, but it can still be bypassed.
“Shot on OnePlus”
“Shot on OnePlus” is a fairly self-explanatory app. Accessible via the Wallpapers selection menu, it has photos taken by OnePlus users and gives you the option to use them as your wallpaper. OnePlus selects a new photo every day to be featured in the app.
OnePlus chooses the photos from a library that users can upload to, either via the app itself or the website. Either way, users have to be logged in to their OnePlus account before uploading. When uploading a photo, users can choose a title, a location, and a brief description of the photo.
The API used by the “Shot on OnePlus” app to upload photos wasn’t secured. Indeed, anybody with an access token could use the API, primarily used for retrieving and uploading photos to OnePlus’s servers. The below image shows a response obtained via the API. As you can see in the image, the response has information that you should not be able to obtain.
While it’s uncertain how long this API was left unprotected, it’s reasonable to assume that this has been the case since the launch of the “Shot on OnePlus” service in 2017 since OnePlus has had no reason to update the API.
How it works
A user’s “gid” is an alphanumeric code unique to each user. It can be used to identify individual users, and it has two components: two letters – either CN or EN, denoting whether a user is from China (CN) or anywhere else (EN) – and a unique number of varying length. This “gid” is used by the API to find photos uploaded by the related user and even delete them. Unfortunately, the gid could not only be used to retrieve information about the user such as their email, name, and country, but it could also be used to update their information without any semblance of proper security.
Furthermore, because the second part of the gid is a number, it was possible to find other users by simply cycling through numbers.
9to5Google contacted OnePlus about these issues but never received a reply. However, they noticed changes were made to the API. The API now no longer leaks the gid and email of users. If you make the same request to the API as was used to get the above reply, the email is now obfuscated with asterisks.
On top of that, the API now attempts to verify that it is only used by the “Shot on OnePlus” app, but that can still be bypassed.
Since 9to5Google published their article, OnePlus appears to have sat up and taken more notice. They first issued the following statement:
OnePlus takes security seriously, and we investigate all reports we receive.
Then they updated the API. The functionality allowing you to get and change account information is blocked, instead returning the message “Functionality upgrading, please try again later.”
Hopefully, we’ll now see this API being far better secured, once OnePlus brings it back from maintenance.Source: 9to5Google