OnePlus website accused of enabling identity theft through insecure payment platform

The Magento platform has been hacked before

Credit card security is a concern for everyone who shops online - so, all of us - and making sure that those cards are protected is a top priority. Entering your details into the wrong website can lead to identity theft, which aside from fraudulent charges can affect more nebulous factors like credit scores. Unfortunately for smartphone vendor OnePlus, it seems that its website has become one of those.

A post on OnePlus's own forums tells the story of a customer buying two smartphones in November, using two different credit cards. This month he was notified of possible fraudulent charges, and verified that there were several false transactions on both cards. The user adds, ‘The only place that both of those credit cards had been used in the last 6 months was on the Oneplus website.'

Many other users - the thread now runs to 10 pages - chimed in with similar accounts, prompting infosec firm Fidus to run its own investigation. Fidus points to the eCommerce platform Magento as a possible culprit (although one moderator, who claims to be an IT developer, disputes that).

This is not the first time that Magento has been accused of being hacked; a vulnerability was highlighted last year that enabled attackers to upload and execute malicious code in online stores. Sucuri also wrote a blog about the possibility back in 2015.

As well as noting that the OnePlus site does not appear to be PCI-compliant, Fidus writes:

"We stepped through the payment process on the OnePlus website to have a look what was going on. Interestingly enough, the payment page which requests the customer's card details is hosted ON-SITE and is not an iFrame by a third-party payment processor. This means all payment details entered, albeit briefly, flow through the OnePlus website and can be intercepted by an attacker. Whilst the payment details are sent off to a third-party provider upon form submission, there is a window in which malicious code is able to siphon credit card details before the data is encrypted."

The mostly likely method used by hackers in this case is a modification of the Cc.php file, as described by Sucuri; this requires shell access to the server, and points to a serious compromise.

So far OnePlus has not responded officially, although we would recommend checking your credit card statement thoroughly if you have used one to order anything direct from the vendor's website. If you need to order from OnePlus in the near future, use either PayPal or an off-site payment processor offering iFrame integration with checkout pages.