Customers reporting credit card fraud after using OnePlus webstore

Chinese mobe-flinger probing the issue

By Andrew Orlowski

Posted in Security, 15th January 2018 13:16 GMT

A large number of OnePlus customers claim to have been hit by fraudulent credit card transactions after making purchases on the phone company's site. And they're unhappy that the company has been slow to address the issue.

Dozens of fraud reports of unauthorised credit card use were posted through on the company's support forum, and many more on Reddit. Some users were hit with unauthorised transactions before Christmas, but the majority report the transactions appearing over the past few days. Disturbingly, several posters note problems with their credit card after purchasing through PayPal. But were they linked to OnePlus?

In a holding statement, OnePlus said it was investigating, but didn't confirm or deny that a breach had taken place. The Shenzhen firm's webstore was initially built with Magento's e-commerce software, old versions of which were vulnerable to cross-site scripting and remote code execution attacks, but OnePlus said that since 2014 the site has been rebuilt with custom code. The company denied that it "stored" user credit card details.

A security audit by Fidus reveals that OnePlus is currently conducting the transactions itself, rather than through an iFrame. This introduces a new attack vector – it means that the credit card details (including security code) pass through the OnePlus site.

"All payment details entered, albeit briefly, flow through the OnePlus website and can be intercepted by an attacker. Whilst the payment details are sent off to a third-party provider upon form submission, there is a window in which malicious code is able to siphon credit card details before the data is encrypted," Fidus noted.

OnePlus is in hot water after acknowledging that some of its phones beamed data to Alibaba without the user's knowledge or consent. Last year it admitted that detailed usage data was being sent back to the company, without knowledge or consent. This is a breach of basic data protection law in Europe. And a month later it acknowledged that an insecure diagnostic tool had been left on shipping devices. ®

Sign up to our NewsletterGet IT in your inbox daily

22 Comments

More from The Register

Europe turns nose up at new smartphones: Beancounters predict 7% sales drop

Punters wising up to expensive upgrade cycle

Dawn of The Planet of the Phablets in 2019 will see off smartphones

Anything smaller than 5.5 inches just won't satisfy, especially in China

Samsung gains ground on smartphones

Emerging markets are where it's at

Baidu puts open source deep learning into smartphones

Computer vision, deep learning, and the camera in your phone

Fujitsu looking to flog its smartphones biz – report

How's that 'digital transformation' going?

Smartphones' security enhancements just make them more dangerous

Is that incriminating data in your pocket or are you just pleased to see me?

OnePlus privacy shock: So, the cool Chinese smartphones slurp an alarming amount of data

Are we shocked? *Cough* Google, Apple *Cough*

New York Police scrap 36,000 Windows smartphones

Bonkers buy-up by bungling billionairess

Dolphins inspire ultrasonic attacks that pwn smartphones, cars and digital assistants

Flipper heck!

Curb your enthusiasm, 'India's smartphones are changing the world' fans

First 30-million smartmobe quarter ever just happened, but feature phones still sell more