OnePlus discloses security leak in its invoicing system that could have exposed sensitive user data

OnePlus found a vulnerability in one of out-of-warranty repair invoicing systems, affecting a small set of users in the US.

By Digit NewsDesk | Published 04 Jul 2020 16:58 IST
HIGHLIGHTS
  • OnePlus found a vulnerability in one of out-of-warranty repair invoicing systems, affecting a small set of users in the US.

  • Data of users who wanted to repair their OnePlus device that had gone out of warranty was left exposed.

  • OnePlus claims the leakage has not been exploited by anybody malicious.

OnePlus discloses security leak in its invoicing system that could have exposed sensitive user data
OnePlus discloses security leak in its invoicing system that could have exposed sensitive user data

While the company gears up to launch the OnePlus Nord, a security vulnerability has been found that could have led to leaking user data. Thanfully, the vulnerability involves only a small set of users, and OnePlus claims the leakage has not been exploited by anybody malicious.

First reported by Android Police, the vulnerability was found in one of OnePlus’ out-of-warranty repair invoicing systems, affecting a small set of users in the US. The invoicing system was run by a third party. The publication notified OnePlus and worked together to iron out the issue.

If the vulnerability was exploited, they would have been able to see data of users who wanted to repair their OnePlus device that had gone out of warranty, and hence had to pay for it. Via the invoice, someone could have had access to data like phone number, model number, IMEI, order date, name, address, email address and the repair cost. OnePlus maintained that credit card details were never exposed.

After fixing the leak, OnePlus gave out a detailed statement to Android Police, which read:

“On July 2, a vulnerability was fixed on the website of our U.S. repair service provider. OnePlus customers in the U.S. who were required to pay for out-of-warranty repairs or those who chose to use our recently launched warranty exchange program were sent a unique third-party link to process their payment. From the time the payment link was generated and emailed to the customer, until the time the payment information was submitted, that customer's name, shipping address, email address, device model and IMEI were visible at the link. As soon as a user's payment information was submitted, the link immediately became inactive. To further secure this process, an additional verification step will be required starting early next week.

After thorough investigation together with our vendor, we have found no evidence of any purposeful attempts to access these URLs.

In addition, no credit card details or payment information of any kind was ever accessible.

User privacy is a top priority for OnePlus, and we apologize for any concerns that this might cause. We have made significant security enhancements on our own platforms in recent years and are diligently working to further improve. We are also already improving our internal processes to more quickly respond to external vulnerabilities, and will more closely engage our third-party vendors to better ensure security on their platforms.”

It’s worth mentioning that the vulnerability affects only a small set of users, and was quickly fixed by OnePlus who claims it didn’t fall into wrong hands for the time it was left exposed. OnePlus was also embroiled in a data leak controversy in 2018 and 2019, which actually saw user data being accessed by malicious third parties. For now, OnePlus has introduced a new verification step in the invoicing process and scrubbed all identity details from invoices.

Digit NewsDesk
Digit NewsDesk

Email Email Digit NewsDesk

Follow Us Facebook Logo Facebook Logo Facebook Logo

About Me: Digit News Desk writes news stories across a range of topics. Getting you news updates on the latest in the world of tech. Read More

Tags:
OnePlus data leak OnePlus security breach OnePlus vulnerability
Advertisements

Trending Articles

Advertisements

LATEST ARTICLES View All

Advertisements
Apple iPhone 13 (128GB) - Starlight
Apple iPhone 13 (128GB) - Starlight
₹ 71900 | $hotDeals->merchant_name
OnePlus 10 Pro 5G (Volcanic Black, 8GB RAM, 128GB Storage)
OnePlus 10 Pro 5G (Volcanic Black, 8GB RAM, 128GB Storage)
₹ 61999 | $hotDeals->merchant_name
Redmi Note 10T 5G (Metallic Blue, 4GB RAM, 64GB Storage) | Dual 5G | 90Hz Adaptive Refresh Rate | MediaTek Dimensity 700 7nm Processor | 22.5W Charger Included
Redmi Note 10T 5G (Metallic Blue, 4GB RAM, 64GB Storage) | Dual 5G | 90Hz Adaptive Refresh Rate | MediaTek Dimensity 700 7nm Processor | 22.5W Charger Included
₹ 11999 | $hotDeals->merchant_name
realme narzo 50A Prime (Flash Blue, 4GB RAM+64GB Storage) FHD+ Display | 50MP AI Triple Camera (No Charger Variant)
realme narzo 50A Prime (Flash Blue, 4GB RAM+64GB Storage) FHD+ Display | 50MP AI Triple Camera (No Charger Variant)
₹ 11499 | $hotDeals->merchant_name
iQOO 7 5G (Solid Ice Blue, 8GB RAM, 128GB Storage) | 3GB Extended RAM | Upto 12 Months No Cost EMI | 6 Months Free Screen Replacement
iQOO 7 5G (Solid Ice Blue, 8GB RAM, 128GB Storage) | 3GB Extended RAM | Upto 12 Months No Cost EMI | 6 Months Free Screen Replacement
₹ 29990 | $hotDeals->merchant_name