AWS s3 takeover by Swar
Date Reported: July 5 2025, July 21 2025

Detailed Descriptions： A Stored Cross-Site Scripting (Stored XSS) vulnerability exists across multiple OnePlus websites, caused by the inclusion of a JavaScript file hosted on an Amazon AWS S3 bucket "analytics.oneplus.net"



Affected URLs:
https://www.oneplus.com/hk_en/oneplus-x
https://www.oneplus.com/sg/invites
https://www.oneplus.com/global/5t
https://www.oneplus.com/ro/support/pricing
https://www.oneplus.in/support/pricing/detail
https://www.oneplus.com/si/oneplus-5-jcc-limited
Many More

An AWS S3 bucket previously used by Oneplus for serving javascript, appears to have been released and subsequently claimed by me.
Vulnerable JS file Location: https://s3.amazonaws.com/analytics.oneplus.net/opdcV2.min.js

Proof:I have created few popups and rediects

PoC added on https://s3.us-east-1.amazonaws.com/analytics.oneplus.net/urls.docx

Remediation:
Remove Vulnerable JavaScript code https://s3.amazonaws.com/analytics.oneplus.net/opdcV2.min.js from webpages