Web application security test researchers have released a report claiming that OnePlus smartphones are leaking sensitive user information. Users’ personal information is collected when someone buys a new OnePlus, or when the Android OS smartphone is activated.
According to the report, when getting a new OnePlus the company asks users to enter some basic data, such as customer name, phone number, email address and home address. The device is activated after the user delivers this information, but this does not end there.
According to web application security test experts, when the user tries to install a specific app on the OnePlus device, they must enter their information again, even when their Microsoft account is active on the device.
The smartphone has a pre-installed application called Shot on OnePlus, which allows users to use any photo contained in the application as wallpaper. When you upload a photo to the app, it becomes completely public and any other user of the app can get it. The company offers certain credits to users in exchange for uploading photos. The information provided by users goes directly to OnePlus servers, which have been shown to have severe security flaws that cause information leaks.
Web application security test experts don’t have more information to say exactly how long OnePlus has been leaking information, but they don’t rule out the possibility that virtually all records held by the company are exposed to leaking.
It is not yet clear whether the company operates the exposed information in any way or whether any external threat actors have accessed the records. If so, users’ personal data will most likely end up for sale on a dark web forum.
According to experts from the International Cyber Security Institute (IICS), among the main reasons hackers steal personal information are:
- Sale tit o marketing or credit card companies
- Use for spam campaigns
- Hacking attempts (brute force attacks, credential stuffing, etc.)