OnePlus denies checkout page hack amid credit card fraud reports

OnePlus, a Shenzhen based Chinese smartphone manufacturer has denied that its checkout page was compromised due to a Magento bug. The statement from OnePlus came in response to a number of customers who reported credit card fraud and purchases after buying OnePlus smartphones from its official website (OnePlus.net) between October and December 2017.

Background

According to a post by “superdutynick,” one of the OnePlus customers, he wrote “I purchased two phones with two different credit cards, first on 11-26-17 and second on 11-28-17. Yesterday I was notified by one of the credit cards of suspected fraudulent activity, I logged onto credit card site and verified that there were several transactions that I did not make. I went through the process and switched accounts… no big deal.”

“Today same thing with the other credit card. I do not use either of those credit cards frequently. The only place that both of those credit cards had been used in the last 6 months was on the Oneplus website.”

Another OnePlus customer “adrianlamkh” reported a similar incident “Ehh purchased a 5t back in mid-December. Got a notification today (January 11th) from my bank today due to 2 suspicious transactions. This may be true!!”

Furthermore, there are several other OnePlus customers reporting credit card fraud on Reddit. “Looks like I got hit as well… No one in their right mind would order 200 dollars of Papa John pizza. Smh,” SavvyByNature wrote on Reddit.

“Woke up to $1600 in attempted charges so it’s safe to say I was a part of this, phones great though,” said another Reddit user “Butternutmilkman.”

Findings of a British Security firm

On the other hand, a British IT security company “Fidus InfoSecurity Limited” reported that their researchers conducted an in-depth investigation and found that OnePlus checkout page was using Magento eCommerce platform that has been lately exploited by hackers, for instance, last week BlackBerry mobile website was hacked to place Coinhive code and used visitors’ CPU to mine Monero cryptocurrency.

However, In their blog post, Fidus has emphasized on the current vulnerable structure of the payment flow and how it can be exploited to achieve malicious goals rather than confirming whether OnePlus suffered a data breach or not.

The researchers analyzed the payment process on the OnePlus website and found that the payment page which requests the customer’s card details is hosted on-site and did not offer iFrame integration with the payment processor.

“This means all payment details entered, albeit briefly, flow through the OnePlus website and can be intercepted by an attacker. Whilst the payment details are sent off to a third-party provider upon form submission, there is a window in which malicious code is able to siphon credit card details before the data is encrypted,” Fidus said.

OnePlus denies checkout page hack amid credit card fraud reports
Fidus believes Magento eCommerce platform could be the vulnerable point for hackers to exploit and steal credit card data from OnePlus users.

Moreover, researchers identified two more issues within the site including 1: OnePlus do not appear to be PCI compliant and did not mention it on their website and 2: the company claims it does not handle any card payments made. Whilst card payments are handled by a California-based E-commerce credit card payment system management company CyberSource, the processing form is still hosted on the OnePlus infrastructure.

Fidus noted that hackers can use two ways to carry a successful hack attack and steal customer credit card data from eCommerce stores including by placing  Javascript which takes place client-side and by modifying the Cc.php file which requires shell access to the server and indicates a serious compromise.

However, researchers did not find any malicious JavaScript hosted one OnePlus website. The Magento eCommerce hacking spree was first discovered and reported by a website security firm Sucuri back in 2015.

OnePlus denies checkout page hack amid credit card fraud reports
How the flaw works

Beware OnePlus customers

In response to the complaints, OnePlus’ staff member Mingyu wrote that the company does not save or process customers’ credit card information on their website. “It is sent directly to our PCI-DSS-compliant payment processing partner over an encrypted connection and processed on their secure servers,” said Mingyu.

OnePlus customers should still be vigilant and keep an eye on their credit card transactions and inform their bank in case of any suspicious activity. Those customers who have bought OnePlus products between October and December 2017 should also contact their bank to investigate any fraudulent transaction.

Not for the first time

This is not the first time that OnePlus is in the news for hacking related incidents. In August last year, a critical security flaw called QuadRooter hit millions of Android devices including OnePlus One, OnePlus 2 and OnePlus 3 devices.

In November 2017, a Security researcher found two preinstalled backdoor in OnePlus devices that could spy on users and collect their data without their permission or knowledge.

Top, Featured Image credit: DepositPhotos/Welcomia

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.