CATEGORIES
home News

OnePlus Checkout System Reportedly Hacked, Customer Credit Card Info Compromised

by Brandon HillMonday, January 15, 2018, 09:33 AM EDT
OnePlus doesn't exactly have a stellar record when it comes to security and user privacy; we learned this late last year when it was discovered that the company’s OxygenOS was collecting private user data without permission. Now, however, we're learning of a new issue that is plaguing the OnePlus website, and it is definitely a more serious concern.
OnePlus 5

Security firm Fidus noticed a forum posting by one OnePlus owner that claimed that they purchased two OnePlus smartphones in November 2017 using two different credit cards. According to the person, these cards were only used to purchase the smartphones and were not used for other transactions either online or offline. Not long after making the purchases, fraudulent charges began showing up on both cards.

Understandably concerned, the OnePlus customer began inquiring if other users had experienced similar fraudulent activity on their credit cards after purchasing a phone direct from OnePlus. Not surprisingly, other individuals chimed in to indicate that they too had been victims of credit card fraud.

fidus chart

Fidus decided to dig deeper into these claims, and noted that OnePlus is using the Magneto eCommerce platform, which has a spotty record when it comes to security. After doing a bit more research, the Fidus team determined that the payment page, which requests customer credit card information, is hosted on-site. This decision by OnePlus leaves customer credit details open for interception by a malicious party.

"This means all payment details entered, albeit briefly, flow through the OnePlus website and can be intercepted by an attacker," writes Fidus. "Whilst the payment details are sent off to a third-party provider upon form submission, there is a window in which malicious code is able to siphon credit card details before the data is encrypted."

More specifically, Fidus adds, "Card payments are handled by CyberSource, the processing form is still hosted on the OnePlus infrastructure. If an attacker had write access to this page, JavaScript could have been inserted to compromise data entered into CyberSource’s payment form on the client-side."

As of now, OnePlus has not responded to the research conducted by Fidus or to customer complaints about credit card fraud. Is OnePlus' website wide open to allow for potentially fraudulent exploitation of its customers, or are these users reporting fraud simply incredibly unlucky when it comes to online shopping? Perhaps a comment from OnePlus would help to shed some light on the issue at hand...

Tags:  OnePlus, carl pei, fidus
TOP CONVERSATIONS
Your Next PC Platform?
More Results
KEEP INFORMED
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy And Terms

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2024 David Altavilla and Hot Hardware, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment