Security firm Fidus noticed a forum posting by one OnePlus owner that claimed that they purchased two OnePlus smartphones in November 2017 using two different credit cards. According to the person, these cards were only used to purchase the smartphones and were not used for other transactions either online or offline. Not long after making the purchases, fraudulent charges began showing up on both cards.
Understandably concerned, the OnePlus customer began inquiring if other users had experienced similar fraudulent activity on their credit cards after purchasing a phone direct from OnePlus. Not surprisingly, other individuals chimed in to indicate that they too had been victims of credit card fraud.
Fidus decided to dig deeper into these claims, and noted that OnePlus is using the Magneto eCommerce platform, which has a spotty record when it comes to security. After doing a bit more research, the Fidus team determined that the payment page, which requests customer credit card information, is hosted on-site. This decision by OnePlus leaves customer credit details open for interception by a malicious party.
"This means all payment details entered, albeit briefly, flow through the OnePlus website and can be intercepted by an attacker," writes Fidus. "Whilst the payment details are sent off to a third-party provider upon form submission, there is a window in which malicious code is able to siphon credit card details before the data is encrypted."
As of now, OnePlus has not responded to the research conducted by Fidus or to customer complaints about credit card fraud. Is OnePlus' website wide open to allow for potentially fraudulent exploitation of its customers, or are these users reporting fraud simply incredibly unlucky when it comes to online shopping? Perhaps a comment from OnePlus would help to shed some light on the issue at hand...