Customers reporting credit card fraud after using OnePlus webstore

Chinese mobe-flinger probing the issue

By Andrew Orlowski


A large number of OnePlus customers claim to have been hit by fraudulent credit card transactions after making purchases on the phone company's site. And they're unhappy that the company has been slow to address the issue.

Dozens of fraud reports of unauthorised credit card use were posted through on the company's support forum, and many more on Reddit. Some users were hit with unauthorised transactions before Christmas, but the majority report the transactions appearing over the past few days. Disturbingly, several posters note problems with their credit card after purchasing through PayPal. But were they linked to OnePlus?

In a holding statement, OnePlus said it was investigating, but didn't confirm or deny that a breach had taken place. The Shenzhen firm's webstore was initially built with Magento's e-commerce software, old versions of which were vulnerable to cross-site scripting and remote code execution attacks, but OnePlus said that since 2014 the site has been rebuilt with custom code. The company denied that it "stored" user credit card details.

A security audit by Fidus reveals that OnePlus is currently conducting the transactions itself, rather than through an iFrame. This introduces a new attack vector – it means that the credit card details (including security code) pass through the OnePlus site.

"All payment details entered, albeit briefly, flow through the OnePlus website and can be intercepted by an attacker. Whilst the payment details are sent off to a third-party provider upon form submission, there is a window in which malicious code is able to siphon credit card details before the data is encrypted," Fidus noted.

OnePlus is in hot water after acknowledging that some of its phones beamed data to Alibaba without the user's knowledge or consent. Last year it admitted that detailed usage data was being sent back to the company, without knowledge or consent. This is a breach of basic data protection law in Europe. And a month later it acknowledged that an insecure diagnostic tool had been left on shipping devices. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Smartphones gateway drug to the Antichrist, says leader of Russian Orthodox Church

And the beast was given a mouth uttering blasphemous words: 'We value your privacy'

LG: Fsck everything, we're doing 16 lenses in smartphones (probably)

How do we make mobes take better snaps? Throw a buttload of sensors at 'em, judging from this patent

Europe turns nose up at new smartphones: Beancounters predict 7% sales drop

Punters wising up to expensive upgrade cycle

Evil third-party screens on smartphones are able to see all that you poke

Of course researchers added machine learning to the mix too

Dawn of The Planet of the Phablets in 2019 will see off smartphones

Anything smaller than 5.5 inches just won't satisfy, especially in China

Samsung gains ground on smartphones

Emerging markets are where it's at

Baidu puts open source deep learning into smartphones

Computer vision, deep learning, and the camera in your phone

Fujitsu looking to flog its smartphones biz – report

How's that 'digital transformation' going?

If you drop a tablet in a forest of smartphones, will anyone hear it fall?

Is it even worth counting tablet sales? Do they even exist?

Smartphones' security enhancements just make them more dangerous

Is that incriminating data in your pocket or are you just pleased to see me?