Earlier this week, smartphone maker OnePlus stopped taking credit card payments on its online store following reports of fraudulent charges, and opened an investigation into the matter. Just days later, OnePlus has revealed in a statement that the preliminary results are in, and there’s a very real problem.
Credit card information belonging to 40,000 customers was seized by hackers between mid-November 2017 and January 11th 2018. The data stolen includes credit card numbers, expiry dates, and security codes, which would explain those fraudulent transactions.
The mechanism for stealing the info appears to be a vulnerability in OnePlus’s payment processing system. According to a forum post detailing the findings, “a malicious script was injected into the payment page code to sniff out credit card info while it was being entered. The malicious script operated intermittently, capturing and sending data directly from the user’s browser. It has since been eliminated.”
While OnePlus appears to have been following standard industry practice for encrypting data before sending it to the credit card processor, the problem appears to be a small window of opportunity, after the user has entered their data into the web form and before they hit submit. A tiny snippet of code, placed in the right place on OnePlus’s webpage, could capture the relevant credit card information and send it directly from the user’s browser, without the unencrypted credit card info ever being seen by OnePlus. That explains why only users who entered a new number into OnePlus’s system were affected by the breach, not users who had a saved credit card or used PayPal.
In a statement, OnePlus said that “We cannot apologize enough for letting something like this happen. We are eternally grateful to have such a vigilant and informed community, and it pains us to let you down.
We are in contact with potentially affected customers. We are working with our providers and local authorities to better address the incident. We are also working with our current payment providers to implement a more secure credit card payment method, as well as conducting an in-depth security audit. All these measures will help us prevent such incidents from happening in the future.”
The company will also be offering a year of free credit protection to affected users, with more details to come.