OnePlus Websites Compromised via Abandoned AWS S3 Bucket Stored XSS Active Across Multiple Domains

Multiple OnePlus websites are actively serving malicious JavaScript through a stored cross-site scripting (XSS) vulnerability caused by an abandoned AWS S3 bucket that has been claimed by an external researcher. The vulnerability was first reported to OnePlus on July 5, 2025, reported again on July 21, 2025, and remains unpatched as of March 17, 2026, over eight months after initial disclosure.

The issue was publicly disclosed on Reddit's r/hacking community after the researcher, identified as Swar, stated that OnePlus ignored both reports. The original post on r/oneplus was deleted by moderators.

The Vulnerability

The root cause is a classic S3 bucket takeover. OnePlus previously used an AWS S3 bucket at analytics.oneplus.net to serve JavaScript files across its web properties. At some point, the bucket was decommissioned or released, but the <script> references in OnePlus's production HTML were never removed.

The researcher discovered the orphaned bucket, registered it under his own AWS account, and gained the ability to serve arbitrary JavaScript on any OnePlus page that still references the old analytics script. This turns what would normally be a dead resource link into a persistent stored XSS vector executing under the oneplus.com origin.

Active Exploitation Proof

The researcher demonstrated the vulnerability by injecting proof-of-concept popup dialogs on live OnePlus pages. Visiting affected URLs triggers JavaScript alerts displaying cookie data and session tokens confirming the script executes with full access to the oneplus.com origin, including authentication cookies and session identifiers.

The vulnerable JavaScript file is loaded from s3.amazonaws.com/analytics.oneplus.net/opdcV2.min.js. Because it executes in the context of the parent OnePlus domain, an attacker controlling this bucket could:

• Steal session tokens and authentication cookies from logged-in OnePlus users
• Redirect users to phishing pages or malicious downloads
• Inject fake payment forms during the checkout process
• Exfiltrate personal data displayed on account pages
• Deploy cryptocurrency miners or other client-side malware

Confirmed Affected URLs

The researcher confirmed the following OnePlus domains are affected, with additional pages likely vulnerable:

• oneplus.com/hk_en/oneplus-x
• oneplus.com/sg/invites
• oneplus.com/global/5t
• oneplus.com/ro/support/pricing
• oneplus.in/support/pricing/detail
• oneplus.com/si/oneplus-5-jcc-limited

The scope likely extends to any OnePlus page that loads the deprecated analytics script potentially affecting regional storefronts across Asia, Europe, and India.

Why This Matters

S3 bucket takeover is a well-documented attack class, but it remains dangerous because the remediation is simple remove the script reference from production HTML yet organizations routinely fail to do it. OnePlus has a history of website security incidents: a 2018 breach led to 40,000 credit cards being stolen via injected scripts on their payment page, and a 2019 breach exposed customer names, emails, and shipping addresses.

The current vulnerability is particularly concerning because it affects the buy flow on product pages. A malicious actor who discovered this same orphaned bucket could have silently harvested payment credentials or session tokens from OnePlus customers for months without detection.

Responsible Disclosure Failure

The researcher reported the vulnerability through OnePlus channels twice, on July 5, 2025 and July 21, 2025. Both reports were ignored. The public disclosure on Reddit represents a last-resort escalation after eight months without acknowledgment. This mirrors a broader pattern documented by security researchers, including Rapid7's experience with CVE-2025-10184, an OxygenOS vulnerability where OnePlus's bug bounty program proved unresponsive.

Remediation

For OnePlus: Remove all references to analytics.oneplus.net JavaScript files from production web pages immediately. Audit all external script sources across oneplus.com subdomains. Implement Content Security Policy (CSP) headers to prevent unauthorized script execution.

For OnePlus customers: Avoid using the OnePlus website for purchases until the issue is confirmed resolved. If you visited any OnePlus web page recently, consider changing your OnePlus account password and monitoring for unauthorized activity. Clear your browser cookies for oneplus.com domains.