Another Day, Another Breach: OnePlus’s Payment System Pwned

2018 is not at all being nice for tech firms. This time the bad news is for OnePlus and its customers – the company’s payment system has been pwned by some unknown hackers and people who used their credit card to make payment for their showy new OnePlus phones on the company’s official payment site ought to immediately contact their bank as hackers might be already out to steal their funds.

A large number of users on the OnePlus forums are reporting issues regarding fraudulent activity on their credit cards. The issue came into the frame when a customer posted on the company’s forum saying that two of his credit cards used on the company's official website was suspected of fraudulent activities.

Later, from a flock of concerned OnePlus users, numerous complaints started to hit the forum and it was all about credit card fraud. According to the cybersecurity firm Fidus, there was vulnerability at the Chinese mobile giant’s website that has allowed malicious agents to flick sensitive credit card data from the website.

“We have checked the payment process on the OnePlus’s website to have a look what was going on inside. And interestingly enough, the payment page which requests the customer’s card details is hosted ON-SITE. This means all payment details entered, albeit briefly, flow through the OnePlus website and can be intercepted by an attacker,” a blog post by Fidus read.

Fidus also stated that while the payment details are sent off to a third-party provider by a form submission, a window pops in which the malicious code is able to siphon credit card details before the data is encrypted.

How to protect yourself?

“The safest option to prevent credit card fraud is to use an OFF-SITE payment processor or a processor who offers iFrame integration with checkout pages. Third-party payments providers have created PCI compliant sandboxes for the very purpose of securely taking card payments; utilize it,” Fidus stated in their blog post.