The vulnerability was found in one of the firm’s out-of-warranty repair invoicing systems. It would only have ever affected a small number of U.S. customers and was run by a third party. Android Police notified OnePlus of the issue and worked with them to resolve it.
In essence, if anyone exploited the vulnerability, they would have been able to see the data of users who had filed for a repair but had yet to pay the invoice. Said party would have had access to order numbers, phone model, IMEI. order date, name, address, phone number, email address, and repair cost. OnePlus says that credit card details were never exposed.
In a statement given to Android Police, OnePlus clarified the issue, saying:
On July 2, a vulnerability was fixed on the website of our U.S. repair service provider. OnePlus customers in the U.S. who were required to pay for out-of-warranty repairs or those who chose to use our recently launched warranty exchange program were sent a unique third-party link to process their payment. From the time the payment link was generated and emailed to the customer, until the time the payment information was submitted, that customer’s name, shipping address, email address, device model and IMEI were visible at the link. As soon as a user’s payment information was submitted, the link immediately became inactive. To further secure this process, an additional verification step will be required starting early next week.
After thorough investigation together with our vendor, we have found no evidence of any purposeful attempts to access these URLs.
In addition, no credit card details or payment information of any kind was ever accessible.
User privacy is a top priority for OnePlus, and we apologize for any concerns that this might cause. We have made significant security enhancements on our own platforms in recent years and are diligently working to further improve. We are also already improving our internal processes to more quickly respond to external vulnerabilities, and will more closely engage our third-party vendors to better ensure security on their platforms.
While any security vulnerabilities are concerning, this falls far below OnePlus’ 2018 and 2019 breaches which saw user data being actively accessed by malicious third parties. As per the report, OnePlus has carried out an audit of the invoicing system, stripping out any identifying details.