OnePlus has fixed a security vulnerability in its out-of-warranty repair invoice system. The company says it found “no evidence of purposeful attempts to access” data through the vulnerability.
The security flaw, which was discovered on June 30th, exposed a wealth of customer details, including:
- Order numbers
- Phone model
- Order date
- Phone number
- Email address
- Repair cost
Android Police reports that it uncovered the vulnerability thanks to a tip from a reader and worked with OnePlus to fix the problem. Further, the publication says it appears that only U.S. customers were at risk.
A third-party vendor only used by U.S. customers operated the repair invoicing system impacted by the vulnerability. It’s worth noting that the nature of the exploit didn’t leave a large number of people exposed for a long period of time.
According to a statement from OnePlus, the repair invoicing system sent a unique third-party link to customers who were required to pay for out-of-warranty repairs, or for those who used the company’s warranty exchange program. The third-party link was for processing payments. From the time the link was generated until the time the payment information was submitted, OnePlus says that customer data was visible at the link. Once payment was submitted, however, the link became inactive.
To secure the process, OnePlus says it added an extra verification step when accessing the link. Further, the company says the vulnerability was secured as of July 2nd.
Unfortunately, it remains unclear how long the vulnerability existed. Thankfully it appears Canadians weren’t affected, and OnePlus says it found no evidence of attempts to access the URLs.
This isn’t the first security issue for OnePlus either. Last year, the company’s ‘Shot on OnePlus’ promotion leaked similar details while another security breach exposed customer order details, which included Canadians. OnePlus ultimately launched a bug bounty program to help catch some of these issues and prevent future breaches.
Source: Android Police