On the OnePlus forum, over the period of four months, more than 70 affected buyers have posted an instance when someone has tried to make transactions from their credit card.
Reacting on this, OnePlus has written in a blog post that they are investigating the matter, and trying to determine the cause of this apparent hack.
The company says, “If you suspect that your credit card info has been compromised, please check your card statement and contact your bank to resolve any suspicious charges. They will help you initiate a chargeback and prevent any financial loss.”
A Cyber Security firm, Fidus, who has investigated, says that the company is currently handling all the transactions itself, instead of using an iFrame.
“The payment page which requests the customer’s card details is hosted ON-SITE and is not an iFrame by a third-party payment processor. This means all payment details entered, albeit briefly, flow through the OnePlus website and can be intercepted by an attacker. Whilst the payment details are sent off to a third-party provider upon form submission, there is a window in which malicious code is able to siphon credit card details before the data is encrypted,” says Fidus.
The research firm has highlighted two major issues that are there in the OnePlus payment system. First is regarding the third-party provider, “OnePlus do not appear to be PCI compliant, nor do they mention this anywhere on the website.” And Second is that they “did not mention that they do not handle card payments that are made on its website.”
The investigation was done by Fidus nearly confirms that OnePlus customers have faced credit card misuse. However, it is interesting to see how OnePlus tackle this issue.