Even as OnePlus, a few days back, announced that 40,000 of their customers were affected by the credit card security breach, they are again accused of sending data to Chinese servers.
Talking first about the credit card breach, OnePlus had to suspend credit card payments on their online store. Investigations on this matter began after a poll was posted on the OnePlus forum by users which showed that many customers experienced the same problem. As many as 174 users claimed having discovered fraudulent transactions on their card after using it to buy a OnePlus phone from the website. In response, OnePlus outlined their many security measures. However, upon further research by a third party security firm, Fidus, they found that there is a brief window “in which malicious code is able to siphon credit card details before the data is encrypted.”
On 19th January, OnePlus posted a detailed list of their findings and what the affected customers now need to do. They clarified that those who laid via third parties need not worry and are safe. OnePlus said, “One of our systems was attacked, and a malicious script was injected into the payment page code to sniff out credit card info while it was being entered.” They further added, “We have quarantined the infected server and reinforced all relevant system structures.”
Though this is a huge breach of security, it’s not the first time OnePlus’ security and privacy issues have been questioned. Back in November, 2017, it was alleged that OnePlus transmits users IMEI while checking for software updates, using HTTP. The IMEI (the number that uniquely identifies a particular phone) is sent unencrypted to OnePlus’s servers when the OnePlus phone checks for an update (with or without user input). This means that anyone listening in on the network traffic in your network can grab your IMEI if your phone decides it’s time to check for an update.
Again, recently, OnePlus was criticised for their extensive data collection practices. A Twitter post by Elliot Alderson, a French security researcher, made an allegation that the company was identifying and uploading clipboard data such as bank account numbers and emails to a Chinese server. These claims were, obviously, refuted by OnePlus. They stated that the code in question was inactive for its global users running OxygenOS. “There’s been a false claim that the Clipboard app has been sending user data to a server. The code is entirely inactive in the open beta for OxygenOS, our global operating system. No user data is being sent to any server without consent in OxygenOS,” the company said.
However, none of these issues seem to have affected the company’s Indian market. Their latest edition, the OnePlus 5t Lava Red, which was released in India on the 20th of January, is already out of stock on the major e-commerce sites like Amazon and Flipkart.