The Oppo spinoff's latest in a long line of blunders involves the leaking of hundreds of user emails through the insecure servers of their photo sharing app.
OnePlus has a long history of being caught up in lies, deceits, and other needless controversies; from confusingly pointless and offensive schemes such as ‘Ladies First’ awarding the ability to buy their early devices to attractive women, to the collection of user data via their ‘Analytics' app, to their recent misrepresentation of the OnePlus 7 Pro‘s zoom lens as 3x optical when it was in fact a cropped 2.2x optical sensor.
Well now it has been revealed that OnePlus architected their ‘Shot On OnePlus' photo sharing app's servers very poorly, with incredibly easily exploitable insecurities allowing mass data collection of user names, emails, and other details seemingly since its inception a few years ago.
The precise nature of the primary insecurity, first discovered and relayed to OnePlus by 9TO5Google months ago but only now being released to the public following fixes, was that OnePlus was storing information on shared images behind an unsecured API accessed via an access token retrieved via an unencrypted, alphanumeric key.
Accessible from this vulnerability, though, are user IDs called ‘GID's, which consist of only either ‘CN' or ‘EN' for Chinese or global users, respectively, followed by an identifying number; this makes it laughably simple to iterate through all users.
Unfortunately, OnePlus has not done extensive work to rectify the issue in response; they have made the API harder to access and obscured emails with asterixes, but the former is apparently easy to bypass and the entire system is now a known quantity. OnePlus does claim they are working on further changes however.
At this point it's becoming pretty difficult to put much trust in OnePlus, with gaffes every few months including repeated data security concerns; I certainly don't.
Source: 9TO5Google
