OnePlus phones sporting software dating back to 2015’s OxygenOS 12 contain a security vulnerability that could allow any app to access text message data without permission or interaction from users.
Security researchers Rapid7 uncovered and reported the vulnerability, detailing how OxygenOS incorrectly sets the write permission for SMS, which can expose text data under certain conditions. The researchers note that this means any app could potentially access SMS data, even those that don’t have SMS permissions. Those interested can read a detailed, technical breakdown of the vulnerability on Rapid7’s website.
According to Rapid7, the flaw is present in every version of OxygenOS from 12 to the latest iteration, 15. Their testing confirmed the vulnerability on the OnePlus 8T and 10 Pro, but researchers warned it was far from an exhaustive list.
Initially, Rapid7 said that they received no response from OnePlus or its parent company Oppo about the vulnerability and ultimately chose to disclose the flaw as unfixed on September 22. However, on the 24th, OnePlus contacted Rapid7 and said it was investigating the issue. Moreover, on the 25th, Bleeping Computer reported that OnePlus said it implemented a fix and would roll it out via a software update starting in mid-October.
Unfortunately for impacted OnePlus smartphone owners, that not much that can be done until that software patch arrives. Anyone concerned about the vulnerability should minimize the number of apps they install on their OnePlus phone and only install apps from reputable publishers. It might also be a good idea to avoid using SMS-based multi-factor authentication (MFA) codes and switch to authentication apps instead.
Source: Rapid7 Via: Bleeping Computer
MobileSyrup may earn a commission from purchases made via our links, which helps fund the journalism we provide free on our website. These links do not influence our editorial content. Support us here.