Security holes in OnePlus’ checkout page compromising customer card details

Security holes in OnePlus’ checkout page compromising customer card details

Security holes in OnePlus' checkout page compromising customer card details

Security firm Fidus has revealed how OnePlus' lack of PCI compliance and the company's practice of hosting payment card details on-site is compromising credit card details of customers.

Hackers can inject malicious code to siphon credit card details of customers on OnePlus' on-site payment page before such card details are encrypted.

Credit card users are often asked to ensure that they are punching in their card details on genuine websites of sellers so that their card details are not accessed by hackers or used by them to carry out unauthorised purchases. However, how will customers protect their data if a genuine website starts featuring glaring security loopholes?

Researchers at security firm Fidus recently revealed how OnePlus' checkout page that accepts payments from visitors featured security vulnerabilities due to PCI non-compliance as well as for not using iFrame by third-party payment processors. These vulnerabilities could enable hackers to intercept financial details of customers before they could be encrypted.

According to PCI requirements, website owners are required to use iFrames by third-party payment processors as such pages are encrypted and any details added by customers cannot be intercepted by hackers. However, after reports of several OnePlus customers complaining about their credit card details being accessed by third parties emerged, the researchers decided to investigate.

'Interestingly enough, the payment page which requests the customer’s card details is hosted ON-SITE and is not an iFrame by a third-party payment processor. This means all payment details entered, albeit briefly, flow through the OnePlus website and can be intercepted by an attacker.

'Whilst the payment details are sent off to a third-party provider upon form submission, there is a window in which malicious code is able to siphon credit card details before the data is encrypted,' they noted.

According to the researchers, this fact has busted OnePlus' claim that they do not handle any card payments, and also exposes the company for not stating on their website that they are not PCI compliant.

Considering that OnePlus' checkout pages are vulnerable to such hacks, you must not punch in your card details as they are likely to be accessed and misused by third parties. The researchers have also advised that users should conduct penetration testing against e-commerce websites to highlight security risks.

A number of studies over the years have revealed how both consumers and retailers have demonstrated a lack of awareness when it comes to the online security of their financial information. A study by WhiteHat Security revealed that more than a quarter of UK and US consumers would complete a heavily discounted purchase before checking if the website is secure.

The surveyors also found that retailers also exhibit several risky behaviours, with security vulnerabilities on their sites that could be considered serious in comparison to the online risks faced by other industries.

According to the researchers, the most commonly occurring “critical vulnerability classes” facing the retail industry were insufficient transport layer protection, cross-site scripting, information leakage, brute force attacks and cross-site request forgery.

Copyright Lyonsdown Limited 2020

Top Articles

Universal Health Services lost $67m to a Ryuk ransomware attack last year

Universal Health Services said the cyber attack cost it $67 million in remediation efforts, loss of acute care services, and other expenses.

How the human immune system inspired a new approach to cyber-security

Artificial intelligence is being used to understand what’s ‘normal’ inside digital systems and autonomously fight back against cyber-threats

Solarwinds CEO blames former intern for hilarious password fiasco

SolarWinds has accused a former intern of creating a very weak password for its update server and storing it on a GitHub server for months.

Related Articles