Search This Blog

Tuesday

Here is how hackers can muscle you out of your OnePlus 2 queue spot

After an excruciatingly long wait, filled with teasers and speculations, the eagerly-anticipated OnePlus 2 was made official last week. The handset has already gathered a lot of interest and with limited availability, the OnePlus team has put up an invitation system for buying the phone, just like it did with the OnePlus One. This is certainly not an ideal way of selling hardware, but the company clearly lacks the potential to cope with the demand for units. An initial batch of 30,000 phones was just snatched up from China in 64 seconds and it will take another week for more units to arrive. However, there is another new addition to the invite system, put in place to encourage even more user involvement. If you refer a friend to the invite queue than you can bump yourself up in the list. This sounds exciting, but sadly has a major loophole that one eager OnePlus fan (and presumably others as well) managed to exploit. It lets you cheat the system and climb higher on the invite list by running a simple script. Here is the rundown of what the hacker did. OnePlus has a simple endpoint set up to handle referrals. You just pass a friend's email address and your unique invite URL and if the other person signs up as well, then you go further up the list. This allows you to list random emails and theoretically boost your points in the system, but you can also go one step beyond. Temporary email services such as mailinator allow you to not only setup an email address, but also access it from apps via an API. This allowed the hacker to write a script that first sends out referral links to randomly generated email addresses then simply open these emails and visit the included links, thus completing the referral. This seems to be yielding major results, proving that the new invite system is quite fragile. The hacker even managed to DDOS endpoint by accident, so the whole thing seems to be really flimsy. There are fixes that could be implemented fairly easily, but the OnePlus team is yet to respond to the tweet by the guy who found the vulnerability, let alone take action. Hopefully, the situation will be resolved soon and the queue flushed of fake referrals. We will keep you updated if more information on the story becomes available....



No comments:

Post a Comment