OnePlus "secure" checkout isn't so secure as it seems

[ItsMitch]

OnePlus' website is getting its security dragged through the mud as some users are noticing that they're credit cards are being used for fraud and an InfoSec team began an investigation to find some pretty dodgy handling of sensitive credit card data. 

Quote

Recently members of the Fidus team noticed an interesting blog post on the OnePlus forum by individual discussing recent fraudulent attempts made on two of their credit cards. The forum user states that the only place both cards were used was on the OnePlus website in November 2017, they go on to ask whether other members of the community have had the same issue (spoiler: they had). OnePlus are currently using the Magento eCommerce platform, which is a common platform in which credit card hacking takes place.

These findings do not confirm OnePlus have suffered a breach. Instead, they look into the current structure of the payment flow and how it could have been achieved.

 

They went on to check into the way sensitive data is handled on the site and found that all payments are handled via the OnePlus website and aren't correctly processed, leading to criminals to intercept the data.

Quote

 

We stepped through the payment process on the OnePlus website to have a look what was going on. Interestingly enough, the payment page which requests the customer’s card details is hosted ON-SITE. This means all payment details entered, albeit briefly, flow through the OnePlus website and can be intercepted by an attacker. Whilst the payment details are sent off to a third-party provider upon form submission, there is a window in which malicious code is able to siphon credit card details before the data is encrypted.

Straight away there are two issues that stand out, OnePlus do not appear to be PCI compliant, nor do they mention this anywhere on the website, OnePlus mention they do not handle any card payments made. Whilst card payments are handled by CyberSource, the processing form is still hosted on the OnePlus infrastructure. If an attacker had write access to this page, JavaScript could have been inserted to compromise data entered into CyberSource’s payment form on the client-side.

 

 

Pretty concerning but this is what Gadgets.com found, 

Quote

 

While it acknowledges the official website was built on the Magento platform, it says it has been rebuilding the website with a custom code. In fact, it says the credit card payments were not implemented on Magento’s payment module. However, it only says “we shouldn’t be affected”, instead of giving a more reassuring statement on the security front.

 

 

 

OnePlus has released a statement saying that it's thoroughly investigating the matter on their forums - https://forums.oneplus.net/threads/an-update-on-credit-card-security.752415/

Original Source: https://blog.sucuri.net/2015/04/impacts-of-a-hack-on-a-magento-ecommerce-website.html

 

Update, Paypal purchases may not be fully protected in a report according to El Register - https://www.theregister.co.uk/2018/01/15/oneplus_users_report_credit_card_fraud/

Quote

Dozens of fraud reports of unauthorized credit card use were posted through on the company's support forum and much more on Reddit. Some users were hit with unauthorized transactions before Christmas, but the majority report the transactions appearing over the past few days. Disturbingly, several posters note problems with their credit card after purchasing through PayPal. But were they linked to OnePlus?

 

[Ryujin2003]

"Shouldn't". . Now that sounds like a high degree of certainty...

 

Me: Doctor, will this kill me?

Doctor: It shouldn't.

...

 

So, did this happen on their "custom code" then?

 

[ItsMitch]

Just now, Ryujin2003 said:

"Shouldn't". . Now that sounds like a high degree of certainty...

 

So, did this happen on their "custom code" then?

Thats like saying "If I pull the pin on this malfunctioning grenade, it shouldn't blow up" 

[captain cactus]

Please, make some OnePlus news when something about them is actually secure and not dodgy as fuck because then it's actually news.

[ItsMitch]

Quote

 

Dozens of fraud reports of unauthorized credit card use were posted through on the company's support forum and much more on Reddit. Some users were hit with unauthorized transactions before Christmas, but the majority report the transactions appearing over the past few days. Disturbingly, several posters note problems with their credit card after purchasing through PayPal. But were they linked to OnePlus?

 

 

 

Oh, a brief update coming in from El Reg, this doesn't look good at all.

Just now, lots of unexplainable lag said:

Please, make some OnePlus news when something about them is actually secure and not dodgy as fuck because then it's actually news.

rofled

[dizmo]

Can confirm. Happened to my friend when he ordered one. He just generally has horrible luck when it comes to fraud, but if it's more widespread its an issue. 

1 hour ago, huilun02 said:

Payment details will flow through whatever website the payment page is hosted on. That doesn't mean that only OnePlus's site is vulnerable. And no the Magento platform isn't made by OnePlus. But I guess people are going to interpret this as a OnePlus-only issue and translate into a "OnePlus makes bad products" mindset.

While true, it is absolutely OnePlus's responsibility to have a secure payment platform. As a company handling multi million dollar sales it should have been tested. 

[ItsMitch]

8 minutes ago, dizmo said:

Can confirm. Happened to my friend when he ordered one. He just generally has horrible luck when it comes to fraud, but if it's more widespread its an issue. 

While I've never been a victim of fraud, I feel bad for people who get fucked over by it. 

[AlTech]

2 hours ago, huilun02 said:

Payment details will flow through whatever website the payment page is hosted on. That doesn't mean that only OnePlus's site is vulnerable. And no the Magento platform isn't made by OnePlus. But I guess people are going to interpret this as a OnePlus-only issue and translate into a "OnePlus makes bad products" mindset.

OnePlus doesn't necessarily make bad products. They just happen to be bad at supporting good products.

[Bananasplit_00]

5 hours ago, AluminiumTech said:

OnePlus doesn't necessarily make bad products. They just happen to be bad at supporting good products.

Yah they make great stuff, for grabbing your personal info and data

[dizmo]

7 hours ago, SC2Mitch said:

While I've never been a victim of fraud, I feel bad for people who get fucked over by it. 

It's pretty hard to actually get fucked over by it if you have a decent bank.

1 hour ago, Bananasplit_00 said:

Yah they make great stuff, for grabbing your personal info and data

How else do you think they can afford their "super low" pricing

[captain_to_fire]

7 hours ago, dizmo said:

How else do you think they can afford their "super low" pricing

OP5T with SD835, 8GB RAM and 128GB storage for only $499 without a contract...

 

It reminds me of two year contracts sold by shady and greedy wireless carriers with strings attached like bill shock and hidden fees not included in the very fine print.