False alert: Here's what OnePlus' Clipboard app actually sends to Chinese servers
yesterday, we reported on yet another slightly-alarming security issue related to OnePlus' devices and a potential security breach that had many worried their sensitive data leaked out to Chinese servers. This time, however, it would seem that this was a false alert as it turns out OnePlus is merely trying to prevent popular Chinese messenger Wechat from blocking certain links leading to some of the bigger Chinese online retailers. OnePlus' Clipboard unblocks said links by sending a predefined hashcode token that essentially fools out Wechat into thinking the links are okay.
But why would OnePlus need to do this, and why would said shopping links be moderated by the Wechat app? Turns out it all falls down to corporate rivalry.
Reddit user lambdaq gave a pretty good explanation as to why this happens:
Reddit user lambdaq gave a pretty good explanation as to why this happens:
"Chinese here.
Maybe I can provide some insight and background story. Here are the API requests OP captured http://bigdata.taobao.com/docs/api.htm?apiId=31578 & https://open.alitrip.com/docs/api.htm?apiId=26657. So there are two Internet giants in China, Alibaba and Tencent. Tencent has this mega [-] app pretending to be IM chat app, Wechat. People share [-] taobao links in Wechat. Wechat got jealous, the blocked all *.taobao.com *tmall.com links to "protect the customer from fraud". The taobao guys invented something clever, they invented some kind of hash code, which is called 淘口令, which is some kind of token that uniquely link to a taobao/tmall SKU, so Wechat can not block arbitrary alphanumberic tokens."
Maybe I can provide some insight and background story. Here are the API requests OP captured http://bigdata.taobao.com/docs/api.htm?apiId=31578 & https://open.alitrip.com/docs/api.htm?apiId=26657. So there are two Internet giants in China, Alibaba and Tencent. Tencent has this mega [-] app pretending to be IM chat app, Wechat. People share [-] taobao links in Wechat. Wechat got jealous, the blocked all *.taobao.com *tmall.com links to "protect the customer from fraud". The taobao guys invented something clever, they invented some kind of hash code, which is called 淘口令, which is some kind of token that uniquely link to a taobao/tmall SKU, so Wechat can not block arbitrary alphanumberic tokens."
Here's what a Taobao link shared on a popular messenger app looks like
"But after all, tere's the catch, how does Oneplus ROM has anything to do with this? Well, the clever part is they will match certain strings from your clipboard, send the token to Taobao API, and restore the original SKU links. That's it, that's why you will see strange URL requests going to Chinar IPs," explains lambdaq.
So, all is good when it ends good. Turns out that OnePlus doesn't spy on you and send your intimate data to the Chinese government, at least not with its Clipboard app.
OnePlus has been in a lot of hot water recently, with the biggest debacle surrounding a potentially-harmful backdoor found on its newest devices. This has been already removed from users' devices, but the damage had already been done.
source: Reddit
OnePlus has been in a lot of hot water recently, with the biggest debacle surrounding a potentially-harmful backdoor found on its newest devices. This has been already removed from users' devices, but the damage had already been done.
source: Reddit
Things that are NOT allowed: