OnePlus Checkout System Reportedly Hacked, Customer Credit Card Info Compromised

OnePlus doesn't exactly have a stellar record when it comes to security and user privacy; we learned this late last year when it was discovered that the company’s OxygenOS was collecting private user data without permission. Now, however, we're learning of a new issue that is plaguing the OnePlus website, and it is definitely a more serious concern.
OnePlus 5

Security firm Fidus noticed a forum posting by one OnePlus owner that claimed that they purchased two OnePlus smartphones in November 2017 using two different credit cards. According to the person, these cards were only used to purchase the smartphones and were not used for other transactions either online or offline. Not long after making the purchases, fraudulent charges began showing up on both cards.

Understandably concerned, the OnePlus customer began inquiring if other users had experienced similar fraudulent activity on their credit cards after purchasing a phone direct from OnePlus. Not surprisingly, other individuals chimed in to indicate that they too had been victims of credit card fraud.

fidus chart

Fidus decided to dig deeper into these claims, and noted that OnePlus is using the Magneto eCommerce platform, which has a spotty record when it comes to security. After doing a bit more research, the Fidus team determined that the payment page, which requests customer credit card information, is hosted on-site. This decision by OnePlus leaves customer credit details open for interception by a malicious party.

"This means all payment details entered, albeit briefly, flow through the OnePlus website and can be intercepted by an attacker," writes Fidus. "Whilst the payment details are sent off to a third-party provider upon form submission, there is a window in which malicious code is able to siphon credit card details before the data is encrypted."

More specifically, Fidus adds, "Card payments are handled by CyberSource, the processing form is still hosted on the OnePlus infrastructure. If an attacker had write access to this page, JavaScript could have been inserted to compromise data entered into CyberSource’s payment form on the client-side."

As of now, OnePlus has not responded to the research conducted by Fidus or to customer complaints about credit card fraud. Is OnePlus' website wide open to allow for potentially fraudulent exploitation of its customers, or are these users reporting fraud simply incredibly unlucky when it comes to online shopping? Perhaps a comment from OnePlus would help to shed some light on the issue at hand...