News / Security holes in OnePlus’ checkout page compromising customer card details
Security holes in OnePlus’ checkout page compromising customer card details
15 January 2018 |
Security firm Fidus has revealed how OnePlus' lack of PCI compliance and the company's practice of hosting payment card details on-site is compromising credit card details of customers.
Hackers can inject malicious code to siphon credit card details of customers on OnePlus' on-site payment page before such card details are encrypted.
Credit card users are often asked to ensure that they are punching in their card details on genuine websites of sellers so that their card details are not accessed by hackers or used by them to carry out unauthorised purchases. However, how will customers protect their data if a genuine website starts featuring glaring security loopholes?
Researchers at security firm Fidus recently revealed how OnePlus' checkout page that accepts payments from visitors featured security vulnerabilities due to PCI non-compliance as well as for not using iFrame by third-party payment processors. These vulnerabilities could enable hackers to intercept financial details of customers before they could be encrypted.
According to PCI requirements, website owners are required to use iFrames by third-party payment processors as such pages are encrypted and any details added by customers cannot be intercepted by hackers. However, after reports of several OnePlus customers complaining about their credit card details being accessed by third parties emerged, the researchers decided to investigate.
'Interestingly enough, the payment page which requests the customer’s card details is hosted ON-SITE and is not an iFrame by a third-party payment processor. This means all payment details entered, albeit briefly, flow through the OnePlus website and can be intercepted by an attacker.
'Whilst the payment details are sent off to a third-party provider upon form submission, there is a window in which malicious code is able to siphon credit card details before the data is encrypted,' they noted.
According to the researchers, this fact has busted OnePlus' claim that they do not handle any card payments, and also exposes the company for not stating on their website that they are not PCI compliant.
Considering that OnePlus' checkout pages are vulnerable to such hacks, you must not punch in your card details as they are likely to be accessed and misused by third parties. The researchers have also advised that users should conduct penetration testing against e-commerce websites to highlight security risks.
A number of studies over the years have revealed how both consumers and retailers have demonstrated a lack of awareness when it comes to the online security of their financial information. A study by WhiteHat Security revealed that more than a quarter of UK and US consumers would complete a heavily discounted purchase before checking if the website is secure.
The surveyors also found that retailers also exhibit several risky behaviours, with security vulnerabilities on their sites that could be considered serious in comparison to the online risks faced by other industries.
According to the researchers, the most commonly occurring “critical vulnerability classes” facing the retail industry were insufficient transport layer protection, cross-site scripting, information leakage, brute force attacks and cross-site request forgery.
Latest posts by Jay Jay (see all)
- Google stops Huawei’s access to Android updates and Google services - 20th May 2019
- Ten cyber criminals behind GozNym malware operations indicted in the US - 16th May 2019
- Less than 1% of data breach investigations by ICO resulted in monetary fines - 16th May 2019
- Huawei commits to signing non-spy agreement with Britain - 15th May 2019
- All Intel chips since 2011 vulnerable to new ZombieLoad attack - 15th May 2019