Check Your Credit Card Statements; OnePlus May Have Been Hacked

Fyi, any time I lead off with this captioned photo of Carl Pei it’s probably going to be bad news…

Last week a customer took to the OnePlus Forums to post about suspicious charges on two of their credit cards, both of which were used for purchases at OnePlus.net last November. It turns out he is not alone; to date some 69 users have reported similar fraudulent charges, and it’s looking increasingly likely that the upstart Android OEM’s payment portal has been compromised.

For a company that only sells its products online to most of the world, this is understandably a big concern—even if the number of affected customers is so far relatively small.

A blog post by Fidus Info Security explains how an attacker could have compromised the portal:

The payment page which requests the customer’s card details is hosted on-site and is not an iFrame by a third-party payment processor. This means all payment details entered, albeit briefly, flow through the OnePlus website and can be intercepted by an attacker. Whilst the payment details are sent off to a third-party provider upon form submission, there is a window in which malicious code is able to siphon credit card details before the data is encrypted.

The working theory at Fidus is that the credit card numbers were intercepted not by client-side attacks via javascript, but instead a server-side compromise via PHP. But if this were the case then I’d expect a lot more fraudulent charges to be reported.

If, like me, you paid for your OnePlus purchase using PayPal then your credit card info should be safe. If I recall correctly, PayPal was the only available option for my last few orders; in light of this news I’m pretty grateful for that!

Links: Fidus InfoSec, OnePlus Forums

Leave a Reply