This article is more than 1 year old
Customers reporting credit card fraud after using OnePlus webstore
Chinese mobe-flinger probing the issue
A large number of OnePlus customers claim to have been hit by fraudulent credit card transactions after making purchases on the phone company's site. And they're unhappy that the company has been slow to address the issue.
Dozens of fraud reports of unauthorised credit card use were posted through on the company's support forum, and many more on Reddit. Some users were hit with unauthorised transactions before Christmas, but the majority report the transactions appearing over the past few days. Disturbingly, several posters note problems with their credit card after purchasing through PayPal. But were they linked to OnePlus?
In a holding statement, OnePlus said it was investigating, but didn't confirm or deny that a breach had taken place. The Shenzhen firm's webstore was initially built with Magento's e-commerce software, old versions of which were vulnerable to cross-site scripting and remote code execution attacks, but OnePlus said that since 2014 the site has been rebuilt with custom code. The company denied that it "stored" user credit card details.
A security audit by Fidus reveals that OnePlus is currently conducting the transactions itself, rather than through an iFrame. This introduces a new attack vector – it means that the credit card details (including security code) pass through the OnePlus site.
"All payment details entered, albeit briefly, flow through the OnePlus website and can be intercepted by an attacker. Whilst the payment details are sent off to a third-party provider upon form submission, there is a window in which malicious code is able to siphon credit card details before the data is encrypted," Fidus noted.
OnePlus is in hot water after acknowledging that some of its phones beamed data to Alibaba without the user's knowledge or consent. Last year it admitted that detailed usage data was being sent back to the company, without knowledge or consent. This is a breach of basic data protection law in Europe. And a month later it acknowledged that an insecure diagnostic tool had been left on shipping devices. ®