OnePlus found a vulnerability in one of out-of-warranty repair invoicing systems, affecting a small set of users in the US.
While the company gears up to launch the OnePlus Nord, a security vulnerability has been found that could have led to leaking user data. Thanfully, the vulnerability involves only a small set of users, and OnePlus claims the leakage has not been exploited by anybody malicious.
First reported by Android Police, the vulnerability was found in one of OnePlus’ out-of-warranty repair invoicing systems, affecting a small set of users in the US. The invoicing system was run by a third party. The publication notified OnePlus and worked together to iron out the issue.
If the vulnerability was exploited, they would have been able to see data of users who wanted to repair their OnePlus device that had gone out of warranty, and hence had to pay for it. Via the invoice, someone could have had access to data like phone number, model number, IMEI, order date, name, address, email address and the repair cost. OnePlus maintained that credit card details were never exposed.
After fixing the leak, OnePlus gave out a detailed statement to Android Police, which read:
“On July 2, a vulnerability was fixed on the website of our U.S. repair service provider. OnePlus customers in the U.S. who were required to pay for out-of-warranty repairs or those who chose to use our recently launched warranty exchange program were sent a unique third-party link to process their payment. From the time the payment link was generated and emailed to the customer, until the time the payment information was submitted, that customer's name, shipping address, email address, device model and IMEI were visible at the link. As soon as a user's payment information was submitted, the link immediately became inactive. To further secure this process, an additional verification step will be required starting early next week.
After thorough investigation together with our vendor, we have found no evidence of any purposeful attempts to access these URLs.
In addition, no credit card details or payment information of any kind was ever accessible.
User privacy is a top priority for OnePlus, and we apologize for any concerns that this might cause. We have made significant security enhancements on our own platforms in recent years and are diligently working to further improve. We are also already improving our internal processes to more quickly respond to external vulnerabilities, and will more closely engage our third-party vendors to better ensure security on their platforms.”
It’s worth mentioning that the vulnerability affects only a small set of users, and was quickly fixed by OnePlus who claims it didn’t fall into wrong hands for the time it was left exposed. OnePlus was also embroiled in a data leak controversy in 2018 and 2019, which actually saw user data being accessed by malicious third parties. For now, OnePlus has introduced a new verification step in the invoicing process and scrubbed all identity details from invoices.