Following a slew of complaints about possible credit card fraud from a flock of concerned OnePlus users, cybersecurity firm Fidus has discovered a vulnerability that might have allowed malicious agents to sweep sensitive credit card data from the website of the China-based phone-maker.
So far, hundreds of affected users have taken to Reddit and the official OnePlus forums to report suspicious activity on their credit cards. According to numerous reports, the first fraud attempts came within a year after customers used their credit card to purchase items from the manufacturer’s website.
Fidus goes on to clarify that while the attacks appear to be authentic, their research does not in any way confirm that the OnePlus site was breached; rather, it suggests where the attacks might have come from – and it seems the weakest link might be the Magento eCommerce platform.
The cybersecurity specialist says the payment integration, which has previously been hacked on several occasions, is often targeted by malicious actors.
“We stepped through the payment process on the OnePlus website to have a look what was going on. Interestingly enough, the payment page which requests the customer’s card details is hosted ON-SITE,” the post reads. “This means all payment details entered, albeit briefly, flow through the OnePlus website and can be intercepted by an attacker.”
“Whilst the payment details are sent off to a third-party provider upon form submission,” it continues, “there is a window in which malicious code is able to siphon credit card details before the data is encrypted.”
While the Chinese phone-maker has yet to release an official statement with regards to this ordeal, a moderator (who claims to have an IT background) on its forum has since cast doubt on the accuracy of Fidus’ research, arguing that the suggested attack vectors are not consistent with the evidence.
Meanwhile, we have contacted OnePlus for further comment and will update this piece accordingly if we hear back.
Read next: VR can’t save retail