OnePlus Phones at Risk: Hidden SMS Flaw Exposes User Data Silently

Cybersecurity firm Rapid7 has identified a critical security flaw in OnePlus’ OxygenOS that could expose users’ SMS and MMS data without consent. The vulnerability, described as a “permission bypass,” allows apps to access messaging information silently, raising concerns over privacy and account security.

The issue spans multiple versions of OxygenOS, which run on a wide range of OnePlus smartphones. Rapid7’s testing was limited to a few devices, but the company suggests that more models could be affected. According to the report, the flaw enables any installed application to read SMS and MMS data from the system-provided Telephony service without requiring user permission or interaction.

Experts warn that this type of vulnerability could have far-reaching implications. Data captured through this flaw could include sensitive information, such as two-factor authentication codes, putting user accounts at risk.

Attempts to contact OnePlus initially were unsuccessful. Rapid7 noted that while OnePlus operates a bug bounty program, restrictive non-disclosure agreement terms prevented immediate collaboration. This limitation contributed to the public disclosure of the issue before a patch was issued.

Rapid7 confirmed that OnePlus is now aware of the vulnerability and is engaging with the security firm to address the problem. Details on how the flaw could be exploited remain unclear, and the company has not announced any official communications or updates for users.

For now, OnePlus device owners are advised to remain cautious and monitor official channels for security updates.