'Shot on OnePlus' service leaked some users' information for at least two months

In Apr, 9to5Google discovered the 'Shot on OnePlus' service failed to shield uploaders' personal information from prying eyes. When the website contacted OnePlus nigh the security oversight, the company fixed the problem without issuing an official statement on the matter.

Because the 'Shot on OnePlus' service is community-driven wallpaper section on OnePlus smartphones, it requires users to log into their OnePlus business relationship before they can make a submission. Uploaders can alter their profile information (name, country, email), as well as add together a title, a location and a description of the photo they're uploading. Later that, OnePlus servers host the images for the community wallpaper service to retrieve.

In almost cases, the retrieval process goes through a well-written API sitting between the servers and the wallpaper service to make certain null sensitive leaks through the data commutation. That was, unfortunately, non the case for OnePlus.

9to5Google plant out they could easily breach the API and do things OnePlus wouldn't like. For instance, the website found it could obtain a user's email accost and, worse, their internal identification number. With that, 9to5Google believes it could rail downwardly any uploader and change their stored proper noun, email and country without much consequence.

It is unclear if hackers could capitalize on the vulnerability to maliciously alter the uploaders' profiles or just mess with the photos' background information.

This is the second time that OnePlus had a publicly known security problem. In 2017, a software engineer discovered the smartphone maker collected personal data using an analytics app.

Source: 9to5Google

Source: https://mobilesyrup.com/2019/06/14/shot-on-oneplus-service-leaked-users-information/

Posted by: fabriziotwoured.blogspot.com

Share this post