Most smartphone makers tend to release security patches every month or every couple of months. We know, sometimes updating your phone is a hassle, but if there was ever a good reason to stay on top of updates, it would be because of this: a major OnePlus OxygenOS vulnerability has been found, one that could put a lot of OnePlus users at risk.
A major OnePlus OxygenOS vulnerability has been found
According to a report from cybersecurity firm Rapid7, it discovered a major vulnerability in the OnePlus OxygenOS mobile platform. The report claims that this is a “permission bypass vulnerability” and spans across multiple versions of the OS. This means that it is likely affecting multiple OnePlus models.
Rapid7 says, “The issue stems from the fact that sensitive internal content providers are accessible without permission, and are vulnerable to SQL injection.” Their report also adds, “Based on our analysis, this vulnerability could be leveraged to bypass the core Android READ_SMS permission to silently exfiltrate users’ SMS data without their consent and break SMS-based MFA systems.”
But how did this happen? Why was it only discovered now and not before? Turns out, this issue might have stemmed from OnePlus changing the stock Android Telephony package. The company wanted to introduce additional exported content providers like PushMessageProvider, PushShopProvider, and ServiceNumberProvider. However, these providers did not declare a write permission for “READ_SMS”. By default, this leaves it open to any app, even those that do not have SMS permission.
The researchers conducted a small test and confirmed the vulnerability. However, their findings were limited to the OnePlus 8T and 10 Pro. This doesn’t mean that other OnePlus devices aren’t affected. However, we know that these two are susceptible.
OnePlus’ response (or lack thereof)
According to Rapid7, this vulnerability was discovered earlier this year. They tried to contact OnePlus in May to share their findings. They even attempted to reach out seven separate times without any concrete response. This led to Rapid7 deciding to disclose the issue publicly, after which, OnePlus acknowledged it. The company says it has launched an investigation into the issue.
So, what does this mean for OnePlus users? For now, there’s not much you can do until OnePlus fixes the problem. In the meantime, you might want to keep app installs to a minimum, or at least make sure that apps you download come from trusted publishers and storefronts. Also, you might want to consider switching away from SMS-based 2FA for now.
The post OnePlus OxygenOS Hit by Major Vulnerability Allowing SMS Data Theft appeared first on Android Headlines.
