A security vulnerability in OnePlus' out-of-warranty repair and advance exchange invoicing system has been fixed. The vulnerability, which was discovered on June 30th, exposed customer details including full names, phone numbers, email addresses, IMEI numbers, and physical addresses. The system affected is run by a third-party vendor and is only used by US customers. Android Police disclosed details of the vulnerability to OnePlus after receiving a tip from a reader, and OnePlus does not believe it was ever actively exploited.
Again, as far as we know, only US customers would ever have been at risk. A given customer's window of vulnerability to being exploited was also probably quite limited, as only open, unpaid invoices for out-of-warranty repairs and in-warranty credit card holds for advanced replacements were exposed. In short, it likely only affected a small subset of a subset of OnePlus customers at any one given time.
According to an internal audit conducted by OnePlus, there is no evidence the vulnerability was ever exploited. For the time being, identifying details have been stripped from the invoicing system, and starting July 6th, a new verification system will be in place.
That said, the details the vulnerability revealed about those customers were significant, and included:
Android Police was informed of the vulnerability by a tipster (Thanks: Eric Lang) on June 30th, but it's unclear how long the vulnerability existed. Our tipster tried to reach out to OnePlus on June 21st with the information, but his claims didn't seem to be taken seriously at that time. On July 2nd, following our disclosure to the company, the vulnerability was fixed to remove access to identifying information.
This isn’t the first time OnePlus has run into security problems involving customer data. Last year, the company’s “Shot on OnePlus” promotion leaked some similar details, as did a later breach regarding order information. Back in 2018, it suffered a credit card hack that was undisclosed for a period of two months, affecting up to 40,000 customers. In 2017, analytics from OnePlus phones were revealed to include superfluous identifying information. At the end of last year, OnePlus announced its bug bounty program, promising payouts for security researchers, but that doesn’t seem to have prevented today’s news.
Android Police worked with OnePlus to resolve the issue, and the company provided us with the following statement on July 3rd regarding the vulnerability:
On July 2, a vulnerability was fixed on the website of our U.S. repair service provider. OnePlus customers in the U.S. who were required to pay for out-of-warranty repairs or those who chose to use our recently launched warranty exchange program were sent a unique third-party link to process their payment. From the time the payment link was generated and emailed to the customer, until the time the payment information was submitted, that customer’s name, shipping address, email address, device model and IMEI were visible at the link. As soon as a user’s payment information was submitted, the link immediately became inactive. To further secure this process, an additional verification step will be required starting early next week.
After thorough investigation together with our vendor, we have found no evidence of any purposeful attempts to access these URLs.
In addition, no credit card details or payment information of any kind was ever accessible.
User privacy is a top priority for OnePlus, and we apologize for any concerns that this might cause. We have made significant security enhancements on our own platforms in recent years and are diligently working to further improve. We are also already improving our internal processes to more quickly respond to external vulnerabilities, and will more closely engage our third-party vendors to better ensure security on their platforms.