Earlier this year in January, Chinese smartphone manufacturer OnePlus’ online payment platform suffered a credit card breach, leaking the credit card information of around 40,000 users. Following the revelation, OnePlus temporarily suspended credit card payments on its online store, but the damage had already been done. While initially the company claimed that their online payments were secure, it later disclosed that one of their systems was hacked and a malicious script was injected into the payment page code to steal users’ credit card information.
Now, it seems like another popular Chinese smartphone manufacturer is on the same path. As a recent post on Reddit points out, Xiaomi India’s website doesn’t have a secure payments page.
We cross-checked the claim and found out that both Chrome and Firefox list the URL buy.mi.com as “Not Secure”. While Xiaomi’s payments page claims “100% Security Guaranteed” the part of the payment process where users have to enter their card details is not secure.
The browser pop-up states: “You should not enter any sensitive information on this site (for example, password or credit cards), because it could be stolen by attackers.”
We tried replicating the same with the payments page of other smartphone vendors, including OnePlus and Samsung, and while OnePlus’ payments page was deemed secure, Samsung took it one step further and redirected to a secure payments platform, called PayU Biz, for the transaction.
Since Xiaomi recently launched the Redmi Note 5 and Note 5 Pro, a large number of potential buyers could be at the risk of exposing their card information. The phones are expected to sell like hot cakes, given their price points and great specs.
We’ve contacted Xiaomi for a comment on the matter and will update the article as soon as we receive a response. In the meantime, we suggest users to steer clear of Xiaomi’s website for now, and purchase its products from Amazon or Flipkart.