Some people take it as a badge of honor when you’ve become big or popular enough to be the target of attacks. Considering how OnePlus is slowly becoming such a target, one could assume it has definitely crossed that threshold. Unfortunately, it also means that the company has to step up its efforts in making sure that most of its biggest security holes are not left open for long. Sometimes it may not be directly in control but it still has the responsibility of safeguarding its customers’ information. Fortunately, it was able to plug up such a gaping hole in this latest case before the cat got out of the bag, at least as far as we know.
Android Police got tipped to a vulnerability in OnePlus’ system for handling out-of-warranty repairs and warranty exchanges. The system was run by a third-party vendor that serviced only US customers. OnePlus was able to quickly fix it when they received the disclosure over the weekend and claims that the vulnerability was not exploited according to its investigations.
OnePlus also revealed how the reported vulnerability worked. The system sent customers a temporary third-party link for payment processing but until the user completes the process, the link would contain users’ names, addresses, email, and even the phone’s IMEI. OnePlus will be using a new verification system moving forward and is quite confident that no credentials were actually stolen before it could fix the bug.
Of course, we do not know how long the exploit has been left open before it was discovered and disclosed. So far, however, there have been no reports of incidents that may be linked to a potential security breach from this source. While the set of OnePlus customers that could have been affected is comparatively small, it’s still no small matter when user privacy and security is concerned.
This isn’t OnePlus’ first brush with security breaches either. Since 2017, the company’s websites have been reported to have one exploitable flaw or another, the latest of which occurred just late last year. Given how it has now become a force to reckon with in the mobile market, it can no longer remain lax in its security practices, especially for areas where it is most likely to leak out customer information.