OnePlus lives by the ‘Never Settle’ motto but that doesn’t mean it is immune to vulnerability. It can still be affected because of human or system error. An issue was discovered last week but a fix has been made already. It’s important to note the error and inform consumers about it because the problem included customer details being exposed. The issue was found to be a vulnerability in the company’s out-of-warranty repair invoicing system. Exposed details include physical addresses, email addresses, full names, phone numbers, and IMEI numbers.
Those are very important personal details you don’t want many people to know. The particular system affected is run by a third-party company. Only the US customers use the said system so at least the exposure is for one region only.
Initially, OnePlus didn’t believe the problem after being exposed but its there. To be more specific, only those with unpaid invoices have been exposed. This means only a small number of customers have been affected.
This vulnerability was not fully exploited as per OnePlus who already conducted an internal audit. At the moment, OnePlus removed identifying details from the invoicing system. Beginning today, a new verification system will be implemented.
Here is an official statement from OnePlus:
On July 2, a vulnerability was fixed on the website of our U.S. repair service provider. OnePlus customers in the U.S. who were required to pay for out-of-warranty repairs or those who chose to use our recently launched warranty exchange program were sent a unique third-party link to process their payment. From the time the payment link was generated and emailed to the customer, until the time the payment information was submitted, that customer’s name, shipping address, email address, device model and IMEI were visible at the link. As soon as a user’s payment information was submitted, the link immediately became inactive. To further secure this process, an additional verification step will be required starting early next week.
After thorough investigation together with our vendor, we have found no evidence of any purposeful attempts to access these URLs.
In addition, no credit card details or payment information of any kind was ever accessible.
User privacy is a top priority for OnePlus, and we apologize for any concerns that this might cause. We have made significant security enhancements on our own platforms in recent years and are diligently working to further improve. We are also already improving our internal processes to more quickly respond to external vulnerabilities, and will more closely engage our third-party vendors to better ensure security on their platforms.