Hacking The OnePlus Invite System
Full details and the original article on how this can be done can be found here, although I’ll give a less technical and slightly less detailed rundown here too.
Technically speaking the article that I linked too is the part 2, as after hacking the invite system once, OnePlus responded that they had patched his original method. The author decided that he was going to find another way, and so he did, and the second part is the linked article, and the part that I will be explaining.
To explain how this works, firstly I need to explain how Google handles emails sent to a slightly modified version of your email. I’ll be using the same example that the author uses, which is email@example.com.
The first mutation of your email that Google allows is firstname.lastname@example.org (the author credits the Reddit user /u/pyronautical for this discovery). Google essentially truncates everything after the +, including the + itself. The second mutation is email@example.com. The full stop can be added at any point in the email name (although obviously before the @gmail.com) as Google simply ignores any fullstops in emails (evident by the fact that when you login, when it asks for your username you can not bother to type in any fullstops or the @gmail.com part of the email).
The second part that I have to explain is what kind of system OnePlus uses that allows us to take advantage of it and hack it in such a way as to beat it. Essentially OnePlus has a waitlist for OnePlusTwo invites, and you can use friends emails to refer them to the registration, thus allowing you to jump the queue. Essentially the way this can be abused is by creating scripts that send emails to it that aren’t real/are disposable and infinitely creatable. This method (what was used in part 1) was patched after the author published part 1 and talked with OnePlus.
Which is why part 2 uses the fact that Google accepts certain mutations of your email. Surely OnePlus doesn’t use the exact same system that Google uses and will therefore count some mutations of the email? Indeed it does count some mutations, but only some. For example, it will not count any of the first mutations (the ones with the +anything) at all, as they appear to be blocked by the OnePlus web client. However, it will accept the second set of mutations, with a couple of rules. First, of all the full stops must not be at the start or the end of the email, and secondly the full stops must not be next to each other in the email. So while .firstname.lastname@example.org and your..email@example.com are not acceptable, firstname.lastname@example.org is accepted.
That’s the basic logic of how we can use what OnePlus thinks is different emails but what Google sees is the same email to trick the referral system into thinking you’re the most popular person on the planet and eventually, if you do the process for long enough, put you in the number one position on the OnePlusTwo Invite Waitlist.
The author stated that his email is 16 sixteen characters long, and using maths I can’t be bothered to figure out or explain (it’s the holidays damnit) that would result in 32768 possible combinations. However the email that he did use for tricking the system is 8 characters long, which only gives 128 emails, although should still be more than enough for his purposes.
I’ve given the basic overview of how it works, and even though the author goes on to explain the code that he would use in Python for scripting the whole thing I’m not going to bother, and will instead encourage you to check out the original article for more detailed instructions.