OnePlus SMS Security Flaw: A Comedy of Errors in OxygenOS!
OnePlus phones are dealing with a bug that lets any app read SMS data without asking nicely. OxygenOS versions 12 to 15 are affected, and OnePlus has yet to patch this issue. Until they do, keep app installations low and stick to encrypted messaging apps for your secrets.
Hot Take:
Well, OnePlus, you had one job: keep our SMS safe. But thanks to a vulnerability in OxygenOS, our text messages are now more exposed than a cat on a Roomba. It’s a classic case of “Who needs enemies when you have friends like these?” This is a reminder that not all tech needs to be cutting-edge—some of it just needs to work without giving hackers a backstage pass to our lives. And let’s not forget the irony of OnePlus being so unresponsive that they might as well be on airplane mode while our SMS data is on a world tour.
Key Points:
- Vulnerability in OxygenOS allows apps to access SMS data without permission.
- Flaw identified as CVE-2025-10184 remains unpatched and exploitable.
- Rapid7 researchers disclosed the issue after multiple failed attempts to contact OnePlus.
- Impacts all versions of OxygenOS from 12 to 15, affecting multiple OnePlus models.
- Users advised to limit app installations and use encrypted messaging apps.
Hey, Where’s My SMS?
OnePlus, the brand known for delivering high-end smartphones at prices that don’t make you cry, seems to have misplaced our SMS privacy somewhere in the development of OxygenOS. The flaw, CVE-2025-10184, lets any installed app wander into your text messages like a raccoon in a trash can. The kicker? It doesn’t even need your permission, because who doesn’t love a little unsolicited SMS peeping?
Details Nobody Asked For
The root of the problem is that OnePlus decided to tinker with Android’s Telephony package. This brilliant move introduced exported content providers like PushMessageProvider, which are as open as a 24-hour diner. They forgot to lock the door, meaning there’s no write permission for ‘READ_SMS.’ To make matters worse, this allows a “blind SQL injection” to brute-force SMS data one character at a time. It’s like solving a puzzle, only instead of a prize, you get someone’s private conversations.
Impact and Ignorance
The vulnerability affects all OxygenOS versions from 12 to 15, making it a problem as persistent as a telemarketer. Rapid7 confirmed the issue on several devices, including the OnePlus 8T and 10 Pro. They’ve tried contacting OnePlus since May, but apparently, OnePlus is in the middle of a very intensive game of hide-and-seek. After multiple email attempts were ghosted, Rapid7 went public with the details, hoping to spur some action.
OnePlus, Are You There?
Following the public disclosure, OnePlus finally acknowledged the issue, because nothing says “we care” like being publicly called out. They’re now “investigating the problem,” which is PR speak for “Oops, we dropped the ball.” Meanwhile, users are advised to keep installed apps to a minimum, switch from SMS-based two-factor authentication to secure apps, and communicate using end-to-end encrypted messaging platforms. Because, let’s face it, in the world of cybersecurity, SMS is the equivalent of sending a postcard.
Wrap Up: Keep Your Texts to Yourself
In conclusion, if you’re a OnePlus user, you might want to treat your phone like it’s on a diet—limit the apps and stick to the basics. Until this vulnerability is patched, consider your smartphone like a teenager: it doesn’t need more distractions. And remember, just because your phone is smart doesn’t mean it can’t make dumb mistakes. So stay safe, stay secure, and maybe invest in a good old-fashioned carrier pigeon for your sensitive messages.