OnePlus update : 40,000 Credit cards payment breach

Signs of an attack on OnePlus’s payments page were reported on Reddit and the OnePlus forums, but it was researchers at Fidus who first concluded that either (1) OnePlus’s credit card payment gateway CyberSource was hacked, or that (2) the web store was compromised.

Initially, OnePlus claimed that credit card processing didn’t occur on its website and that it hadn’t stored credit card information on its servers. However, the payment processing form on the company’s store was vulnerable to man-in-the-middle attacks; hackers could inject malicious JavaScript into the page that siphoned data away from it.

On top of that, the Fidus researchers discovered that OnePlus’s payments page wasn’t compliant with the UK Cards Association’s PCI-DSS standard, contrary to the company’s claims. One of the requirements of PCI-DSS is that a company’s servers must “encrypt transmission of cardholder data and sensitive information across public net”, but that didn’t appear to have been the case.

Read More:   Sony Xperia XZ Pro to Feature a world's first 4K OLED display ?


OnePlus says that its systems were attacked, and that a malicious script designed to sniff out credit card data as customers entered it had been injected into the payments page code, The team learned that the malicious script operated intermittently, capturing and sending data directly from users’ browsers to an offsite server.

OnePlus identified the script and removed it this week, and took the precautionary step of quarantining the infected server and “reinforcing all relevant system structures”. But it says that as many as 40,000 users might have been affected.

What is OnePlus doing now?

OnePlus apologized for the payments breach and says it’s “eternally grateful” to the community for identifying a pattern of fraudulent payments. The company’s reviewing logs and contacting people who might have been impacted by the breach, it says, and working with its payments provider and local authorities to prevent future incidents.

Read More:   Nokia unveiled new version of Nokia 3310 4G phone with VoLTE support

OnePlus also says it plans to implement a “more secure” credit card payment method on its website, and that it’s conducting an in-depth security audit to see if there are any other vulnerabilities attackers could be taking advantage of.

It’s too early to tell yet, but the company might be investigated by the PCI Security Standards Council for failing to encrypt payments information on its website. It might be fined, or potentially even barred from supporting credit card payments in future.


Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *