Several users on the OnePlus forums and on Reddit have been discussing their issues regarding their credit card’s fraudulent activity. These are the same users who made purchases on the OnePlus website or OnePlus Store earlier. According to those reports, their credit card details have been leaked and someone out there is attempting to spend tons of their money on coupons, random betting sites, and other such quick-to-cash-out places.
Fidus Information Security, based on these reports have undergone the payment security system on the OnePlus website, they have found that “The payment page which requests the customer’s card details is hosted ON-SITE. This means all payment details entered, flow through the OnePlus website and can be intercepted by an attacker. Whilst the payment details are sent off to a third-party provider upon form submission, there is a window in which malicious code is able to siphon credit card details before the data is encrypted.”
A visual representation of the hack taking place (credit : Fidus Information Security)
However, the company is yet to respond to these reports and need to stop this exploitation for the safety of the users.
Updated (17th January, 2018) :
We reached out to OnePlus and they are claiming that it does not store user’s credit card info on its website, and the payments are processed by their partner "over an encrypted connection, and processed on their secure servers.” Even if the customer had used the "save this card for future transactions" feature, complete card info still wasn't stored on OnePlus's website.
The company also urges it’s customers to check with their credit cards respective bank statement for any fraudulent transactions which were used after the purchases on the OnePlus website so that the bank can help them initiate a chargeback and prevent loss of money. OnePlus by investigating each report, they are planning to undergo a complete audit of the security of their consumers.
