[Update: OnePlus halts credit card payments] OnePlus is Investigating Alleged Credit Card Fraud Stemming From its Payment Portal

[Update: OnePlus halts credit card payments] OnePlus is Investigating Alleged Credit Card Fraud Stemming From its Payment Portal

Update 1/16/2018: In a statement published Tuesday, OnePlus said it’s temporarily shutting down credit card payments on its website as a “precaution” while it looks into reports of unauthorized transactions. “This is a serious issue and we are investigating around the clock,” a spokesperson said.

OnePlus might have been affected by a serious security breach involving its payment portal, if a report from Fidus is accurate. Many users on Reddit, Twitter, and OnePlus’s own forums have reported fraudulent use of their credit cards in the recent months, all with cards they’ve used to purchase products from OnePlus’s website. It’s unclear whether the company is to blame, but it published a forum post on Monday explaining how its payment system works and announcing an investigation into the issue.

The researchers at Fidus concluded that either (1) OnePlus’s credit card payment gateway CyberSource was hacked, or that (2) OnePlus itself was breached. Right now, it’s unclear which is the case.

OnePlus, for its part, claims that credit card processing doesn’t occur on its website. “Your card info is never processed or saved on our website – it is sent directly to our PCI-DSS-compliant payment processing partner over an encrypted connection, and processed on their secure servers,” a spokesperson wrote on OnePlus’s official forums. “Our website is HTTPS encrypted, so it’s very difficult to intercept traffic and inject malicious code, however we are conducting a complete audit.”


OnePlus’ payment portal page, which clearly goes through their own website.

But OnePlus’s payment processing form is hosted on its website, according to Fidus, and an attacker with access to the page could inject malicious JavaScript that siphons data away from it. Researchers weren’t able to view the payment portal’s source code because page crawlers hadn’t indexed it, but even though they didn’t find evidence of JavaScript injection, they claim that it might have been possible.

The researchers also suggest that OnePlus’s payments page isn’t compliant with the UK Cards Association’s PCI-DSS standard, contrary to the company’s claims. PCI-DSS, an acronym for Payment Card Industry Data Security Standard, it a set of 12 high-level point-of-sale requirements across six categories which companies must meet in order to achieve compliance. One requirement of PCI-DSS is that servers must “encrypt transmission of cardholder data and sensitive information across public net”, which doesn’t appear to be true in OnePlus’s case. If an attacker could siphon data away from the server to another machine somewhere, at some point the data might not have been encrypted.

Fidus also posited the idea that OnePlus was the victim of a serious breach, perhaps as the result of modified code in CyberSpace’s Magento eCommerce plugin the company was believed to have used for payments processing. The plugin’s biggest vulnerability — the cc.php file it uses to save users’ credit card details — is called regardless of whether card details are saved, and an attacker who successfully breaches the checkout page can modify the file’s code and have it redirect all credit card details to an off-site location.

Magento has been the victim of some very serious attacks over the years, one of which left over 200,000 Magento merchants vulnerable to attack.

Take a look at the malicious code below, which is a modified version of the cc.php file:


Modified cc.php code that siphons information from the payment portal to an attacker’s site // Source: Fidus

It takes all data submitted through the payment portal and submits it to a website created by the researchers at Fidus. Here’s a flowchart of how the attack works:


Flowchart of attack using a modified Magento eCommerce cc.php file. // Source: Fidus

OnePlus claims it never used the Magento plugin for credit card processing.”Oneplus.net was initially built on the Magento eCommerce platform,” a spokesperson for the company wrote on the forums. “However, since 2014 we have been re-building the entire website with custom code, […] so no, we shouldn’t be affected. ”

As for built-in OnePlus checkout page features such as “save this card for future transactions”, the company says those are handled by third-party servers. “[Our] payment processing partner encrypted and securely stored your card info and sent us a few digits […], plus a “token” – a string of symbols that represents your card,” a spokesperson wrote. “This token is stored in our system, but it’s impossible for us to decrypt it and access your card info. Next time you make a payment at oneplus.net, this token will be recognized by our payment processing partner, who then fetches your original card info from their secure vault and uses it for payment processing.”

It’s important to note that there hasn’t been confirmation of a breach yet. If you’re concerned about OnePlus’s webpage security, though, you might try using PayPal. And if you’re worried that your credit card might have been compromised, OnePlus recommends contacting your bank to monitor for and/or reverse any fraudulent payments.

OnePlus is conducting an “investigation” with its third-party providers, a spokesperson said. It’s directing suggestions and comments to [email protected].

We’ll see what comes of the company’s internal audit. You can read the announcement at the source links, along with the results of Fidus’s unofficial investigation.

Source: OnePlus Source 2: Fidus

About author

Adam Conway
Adam Conway

A 21-year-old Irish technology fanatic in his final year of a Computer Science degree. Lover of smartphones, cybersecurity, and Counter Strike. You can contact me at [email protected] My Twitter is @AdamConwayIE and my Instagram is adamc.99.