OnePlus’ Online Payment Platform Allegedly Hacked; User Credit Card Data Stolen

Hacker two-factor authentication

While OnePlus is a company known for manufacturing smartphones that pack in great hardware coupled with near-stock Android experience, the brand has always been in the clasp of controversies.

The company previously found itself surrounded by the EngineerMode controversy, and later on was allegedly blamed for sending user’s clipboard data to Alibaba’s servers. Now, the team has found themselves trapped in another controversy, this time, due to alleged vulnerable online payments.

OnePlus Breached Forum Post
The OP on the OnePlus Forums that brought the controversy to light

In a recent blog post on the OnePlus forums, a user reported that he had previously used his credit cards on the website’s shopping platform to purchase OnePlus devices. He was recently informed that there were several transactions requested on his credit cards that he did not make. As a result, many other users joined in and reported that they too had experienced the same issue. At this time it was not clear whether this issue was indeed serious.

So the team at information security firm Fidus stepped in to investigate it. The use of the Magento eCommerce platform was pinpointed as a possible vector of attack. This has has been known to take place, if adequate security measures are not in place. Unfortunately, it looks that way for OnePlus.

As Fidus mentions, there’s usually an iFrame involved during the payment process which is handled by a third-party payment processor. Instead, the payment page which requests the customer’s card details is hosted on-site.

Because the data flows directly through the OnePlus site, one could in theory intercept it to misuse details. Although payment details are sent to a third-party provider upon form submission, the small window in between OnePlus and the provider, could be attacked to siphon credit card details before the data is encrypted on the provider side. 

Magneto eCommerce Platform

The Magento eCommerce platform has been reported to be one of the most vulnerable e-commerce platforms. The platform makes use of Javascript and/or modification of the cc.php file, which handles the exchange of card details between the web server and the third-party payment provider.

As of now, there is no official statement released by OnePlus.

UPDATE: We have reached out to OnePlus to get an official comment on this issue. 

The staff members on the forum did state that the news of the breach has been passed on to the customer service team, but there has been no response to it as well at the time of this writing.

Community Manager Response

For now, as a user, we urge you to opt for fraud protection on your credit cards to protect you from any data theft or any unauthorized transactions. Furthermore, Fidus advised to shop on websites that make use of an off-site payment processor. There are also third-party payment providers that have created PCI compliant sandboxes for secure online transactions, which you can use, the security team reported.

Watch this space for more updates on the same. Also, do let us know your thoughts on OnePlus’ recent controversy in the comments down below.

EDITOR: Portions of this story have been updated to reflect the possible ways in which a breach could have taken place. We regret the errors in the earlier version. 

comment Comments 0
Leave a Reply