Starting about a week ago, we began seeing reports of fraudulent charges from users on the OnePlus Reddit page, as well as the OnePlus Forums. Researchers at Fidus discovered that it was either an issue related to the OnePlus credit card processor (CyberSource) or the website's store itself. Upon discovering the issue, OnePlus disabled credit card processing pending further investigation to prevent the issue from affecting additional users.

What was the security issue?

OnePlus originally stated that credit card processing doesn't occur on the website directly and that it wasn't storing credit card information on their servers (for security reasons). However, the site was still vulnerable to what's called "cross-site scripting". This allows Javascript to be injected into the page which runs on the client-side and can access information being entered into the webpage and be sent to an external server.

The company has confirmed that a malicious script was injected into the payments page code, and was grabbing and sending data as users entered payment information. They have discovered the script and removed it from the code, as well as isolating the affected server for additional review.

What data was affected?

The breach could have affected any customers using a credit card to purchase from November of last year, through January 11, 2018. All information potentially breached:

  • Credit Card Numbers
  • Expiration dates
  • Security Codes

Any other information entered on the payment page could have also been affected by the malicious script. The script only affected users entering the information. Customers using PayPal were not affected, as well as those who already had a credit card saved in their account.

If you made a recent OnePlus purchase

If you have a reason to believe your information may have been compromised, it's recommended that you contact the OnePlus support team. They have Live Chat, Email, and phone call options available. Additionally, it is advised that you keep a close eye on bank & credit card statements, and to chargeback any fraudulent purchases.

What they're doing going forward

OnePlus plans to improve security for their payment processing, and are investigating in-depth to ensure there aren't other security vulnerabilities. They are reviewing logs and doing what they can to mitigate the issue for currently affected customers.

Xda developers also mention the possiblity of being investigated by PCI Security Standards:

It's too early to tell yet, but the company might be investigated by the PCI Security Standards Council for failing to encrypt payments information on its website. It might be fined, or potentially even barred from supporting credit card payments in future.

Regardless of what happens there, hopefully OnePlus can synch up security on payment processing, and avoid something like this happening again in the future.

via XDA

This post may contain affiliate links. See our disclosure policy for more details.