According to a security firm Fidus, the issue could be associated with how the payment process happens, not the OnePlus website. The site is developed using the Magento eCommerce platform which the researchers say has been targeted by attackers multiple times.
As the payments page is hosted on the OnePlus site, the credit card details can be intercepted by the attackers. They have a small window before the details get encrypted and sent to the third-party server for processing.
In their official response made on the OnePlus forum, the Chinese smartphone maker said they’re investigating the credit card fraud reports and agreed that the buyers who used their credit cards directly to make purchases are among the affected ones.
OnePlus said all the payment processing is done on the servers of their payment service provider. When a buyer chooses “Save this card for future tractions,” the card details are stored on the third-party server. The OnePlus site only saves an encrypted token which is used by the payment server to fetch the payment details of the buyer.
OnePlus also clarified that they have been shifting away from Magento platform and re-designing their website with custom code. Also, they never used Magento’s payment module. So, it’s unlikely their site is affected by the Magento bugs discovered in the past.
While the company was quick to issue a statement, it doesn’t seem it would of much help to the buyers who got money sucked from their accounts. People who are seeing unknown transactions in their statement are advised to contact their banks immediately and get things sorted.