OnePlus OxygenOS SMS Flaw Could Let Apps Read Texts Without Permission
OnePlus phones running OxygenOS from version 12 up to the current 15 hide a serious flaw. The bug could let any app peek at SMS data without asking for consent or user interaction. Security researchers at Rapid7 uncovered the issue and filed a report detailing how the phone’s write access to SMS data is set incorrectly. That misstep could open the door for apps that should never see Text messages to grab Text messages anyway.
What exactly is the problem?
The core issue is a misconfiguration in OxygenOS that handles SMS write permissions. In some cases, an app can access SMS data even if it does not have the official SMS permission. Rapid7 explains that the OS lays down the wrong permission, which can expose text content under certain conditions. The result is a risk that goes beyond apps asking for SMS rights, making it possible for data to slip through the cracks.
Affected devices and versions
This flaw spans OxygenOS versions 12 through 15. In testing, Rapid7 confirmed the vulnerability on devices like the OnePlus 8T and the OnePlus 10 Pro. Researchers warned that these tests are far from an exhaustive list, suggesting other models in the range could be affected as well.
How the disclosure unfolded
At first, Rapid7 said there was no reply from OnePlus or its parent company Oppo when they reached out about the flaw. They decided to publish their finding as unfixed on September 22. Two days later, OnePlus contacted Rapid7, saying it was looking into the issue. A day after that, BleepingComputer reported OnePlus had said a fix was on the way and would come through a software update in mid-October.
What owners should do right now
If you own a OnePlus phone, there isn’t a quick fix you can apply yourself. Waiting for the patch is the main path. In the meantime, lower risk by keeping the number of apps you install small. Stick to apps from trusted publishers. Also, consider avoiding SMS-based MFA codes until a fix lands. Using an authenticator app for two-factor codes is a safer option for now.
What comes next for OnePlus users
The vendor has signaled that a software update will carry the patch for this SMS leak. While the exact release date can vary by region and carrier, the company plans to push the fix in a mid-October update. Until that patch arrives, users should be careful with what apps they grant permissions to and avoid sharing sensitive SMS data through lesser-known apps.
Why this matters for everyday users
Text messages hold a stream of personal data. If a rogue app can read them without consent, it weakens privacy and could open doors to fraud or identity theft. The issue highlights how small misconfigurations in security rules can have wide effects. It also shows why keeping a phone’s software up to date is crucial.
Bottom line for OnePlus owners
This is a reminder that even trusted brands can have gaps in their security. Stay informed about patch notes and update your device as soon as a fix lands. While waiting, practice cautious app management and turn to stronger MFA methods when possible.
Please note that when you make a purchase through our links at GameHaunt, we might earn a small commission. This helps us keep bringing you the free journalism you love on our site! And don’t worry, our editorial content remains totally unbiased. If you’d like to show some support, you can do so here.
