Now OnePlus is accused of using an insecure payments platform exploited for identity theft

Not the first time that the Magento Commerce platform, used by OnePlus, has been hacked, say security experts

Upstart smartphone maker OnePlus has been accused of running an insecure online website that has enabled customer details - including payment information - to be compromised.

A post on OnePlus's own forums tells the story of a customer buying two smartphones in November, using two different credit cards. The user was notified this month of possible fraudulent transactions, adding that: "The only place that both of those credit cards had been used in the last six months was on the OnePlus website."

Many other users - the thread now runs to 10 pages - claim to have had similar experiences, prompting infosec firm Fidus to run its own investigation. Fidus points to the eCommerce platform Magento as a possible culprit (although one moderator, who claims to be an IT developer, disputes that).

The payment page which requests the customer's card details is hosted ON-SITE and is not an iFrame by a third-party payment processor

This is not the first time that Magento has been accused of being hacked. A vulnerability was highlighted last year that enabled attackers to upload and execute malicious code in online stores. Sucuri also wrote a blog about the possibility back in 2015.

As well as noting that the OnePlus site does not appear to be PCI-compliant, Fidus writes:

"We stepped through the payment process on the OnePlus website to have a look what was going on. Interestingly enough, the payment page which requests the customer's card details is hosted ON-SITE and is not an iFrame by a third-party payment processor.

"This means all payment details entered, albeit briefly, flow through the OnePlus website and can be intercepted by an attacker. While the payment details are sent off to a third-party provider upon form submission, there is a window in which malicious code is able to siphon credit card details before the data is encrypted."

The mostly likely method used by hackers in this case is a modification of the cc.php file, as described by Sucuri. This requires shell access to the server, and points to a serious compromise.

So far, OnePlus has not officially responded to the new claims. Anyone that has purchased a OnePlus product via the company's website recently is advised to check their statements for suspicious purchases and to cancel the payment card they used.

It is not the first time that the company has been accused of shoddy practices. In recent months, it has been accused of leaving a test and development backdoor on users' devices, leaving off key codecs off of its new devices preventing users from streaming HD content, and engaging in an intrusive data slurp from customers' smartphones, a policy it claims to have rectified.