OnePlus has a little-known feature bundled with its phones called "Shot on OnePlus." It's a way for people to show off the photos they take on their phones by making them available to other OP users as wallpapers. However, OnePlus reportedly designed its API in such a way that it's easy for someone to harvest email addresses from Shot on OnePlus.

Users can upload photos to Shot on OnePlus from the phone or using a website. In either case, you need to log in first. That means there's an email address associated with your photo submissions. The API for the service was allegedly easy to access for anyone with the right token, hosted on You'd need a key to get the token, but it wasn't encrypted and consisted of a simple alphanumeric string. So, it was trivially easy for someone to get into the API if they really wanted to. The "gid" codes used to identify users were also out in the open, so it was possible to scrape or modify user data once you had that. An attacker could also cycle through gid numbers to get data on other users.

After getting a heads-up, OnePlus apparently made it harder to access the API without going through the Shot on OnePlus service. Email addresses are also obfuscated with asterisks now. It's not exactly encouraging to see this sort of lax security, but it probably affected a few hundred people at most. There's also no confirmation of any in-the-wild exploitation of the flaw. This is not a very popular feature, which is lucky for OnePlus.