OnePlus has now fixed yet another data-leaking flaw in its system, reports indicate. This flaw, in particular, was found in the out-of-warranty repair invoicing system on June 30. There’s been no clear indication as to how long it was in place. But, as with other OnePlus flaws, it was exploitable to allow access to a ton of user data. And it only would have affected US customers if it had been.
Summarily, the flaw — reported to OnePlus as noted above by Android Police, following a tip-off credited to Eric Lang — was in the system for users who needed repairs after their warranty expired. It was disclosed to the company on July 2nd. And it potentially exposed any US customers who had open, unpaid invoices for those out-of-warranty repairs.
What was this data-leaking flaw leaking?
It’s not immediately clear how the flaw worked. But OnePlus notes that information was available via a “unique” link sent to customers with out-of-warranty repairs. The company says that it sent those users a third-party link to access their payment. That means that as soon as that link was created, the user’s data was exposed. And it remained exposed until they made their payment. Once payment was received and verified, the link became inactive.
With regard to what information was available to just about anybody with access to the link, that list includes pretty much everything.
Not only was the order number, phone model, order date, and repair cost exposed. So was the IMEI for the device, as well as the name, address, phone number, and email address of the consumer. That could have — if exploited — paved the way for further phishing attacks and breaches.
The leaked information could have been used to launch an attack or to spoof numbers in order to bypass secondary protective measures. Just to name a few possible uses for such a comprehensive list of user data. In a worst-case scenario, that information goes a long way toward obtaining all the details needed for full-blown identity theft.
This doesn’t appear to have been exploited but it’s not a good look for OnePlus
As of this writing, OnePlus has indicated that its system has been fixed. So users’ data should no longer be available to just anybody who has access to the links that were created. It’s only accomplished that by removing identifying details from the invoices though. The invoices themselves are still readily accessible until July 6. That’s when OnePlus says it will have a new verification system in place for invoicing.
As to the breach itself, it’s not readily apparent how such a leak was allowed to happen. The company has already been the subject of several breaches over the past couple of years, with its most recent occurring just last November. At this rate, it’s nearly managing to keep up with Facebook on that front.
In the interim, the company did launch a bug bounty program, wholly separate from the Android bug bounty program. The primary goal, of course, is to stop breaches and other bugs from interfering with its business and with customers.
So this particular data-leaking flaw from OnePlus is not likely to sit well with consumers.