Moonpig API flaw allegedly exposes millions of customer details

Greeting card company fails to address vulnerability for 17 months, claims developer

Piggy bank

An API flaw has left the personal details of three million Moonpig.com customers exposed for nearly 18 months since the problem was first reported, it is claimed.

The greeting card company allegedly left the issue unaddressed for 17 months, after developer Paul Price said he first warned Moonpig about the problem in August 2013.

He said hackers could access customer names, addresses, telephone numbers and partial credit card details simply by changing the customer identification number sent as part of a normal app API request.

Price contacted the company again in September when no action had been taken, but decided to disclose the flaw publicly yesterday when he saw no fix had been issued.

He wrote in a blog post: "I've seen some half-arsed security measures in my time but this just takes the biscuit. Whoever architected this system needs to be shot waterboarded."

The developer demonstrated how an HTTP request from Moonpig's Android app to the Moonpig API sent a standard, non-customer specific username and password.

By changing the customer ID when logging into the app, he could access others' accounts and view saved addresses, personal details and card information.

"There's no authentication at all and you can pass in any customer ID to impersonate them," he said. "An attacker could easily place orders on other customers accounts, add/retrieve card information, view saved addresses, view orders and much more."

He warned that Moonpig's API flaw provided easy pickings for hackers to steal customer records.

"Given that customer IDs are sequential an attacker would find it very easy to build up a database of Moonpig customers along with their addresses and card details in a few hours - very scary indeed," he wrote.

The Information Commissioner's Office (ICO) tweeted earlier to say: "We are aware of the incident at Moonpig and are looking into the details." The body can levy fines of up to 500,000 against firms that have suffered data leaks.

Chris Boyd, malware intelligence analyst at Malwarebytes, criticised Moonpig's delay in responding to customers.

He said: "Too much time has elapsed between notification and any attempt at a fix. At the very least, one would expect the company to notify customers by email to let them know there's an issue, providing steps they can take to try and avoid falling foul of anybody using this for personal gain.

"Issues such as these can prove very costly to companies, and now the Information Commissioner's Office is looking at the details the fallout could be severe."

Moonpig is believed to have pulled its API offline a few hours after Price's blog post appeared yesterday, and a spokeswoman said its apps are currently unavailable as it conducts investigations.

She said: "We are aware of the claims made this morning regarding the security of customer data within our Apps. We can assure our customers that all password and payment information is and has always been safe. The security of your shopping experience at Moonpig is extremely important to us and we are investigating the detail behind today's report as a priority.

"As a precaution, our apps will be unavailable for a time whilst we conduct these investigations and we will work to resume a normal service as soon as possible. The desktop and mobile websites are unaffected."

This article was originally published on January 5th, 2015, and was updated at 11.40am then 12pm the same date to include Moonpig's statement and the ICO's statement.

Featured Resources

How to scale your organisation in the cloud

How to overcome common scaling challenges and choose the right scalable cloud service

Download now

The people factor: A critical ingredient for intelligent communications

How to improve communication within your business

Download now

Future of video conferencing

Optimising video conferencing features to achieve business goals

Download now

Improving cyber security for remote working

13 recommendations for security from any location

Download now

Recommended

IT security awareness and training firm KnowBe4 acquires MediaPRO
Acquisition

IT security awareness and training firm KnowBe4 acquires MediaPRO

3 Mar 2021
High-risk email security threats increased by 32% last year
phishing

High-risk email security threats increased by 32% last year

3 Mar 2021
The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

3 Mar 2021
Microsoft Exchange targeted by China-linked hackers
zero-day exploit

Microsoft Exchange targeted by China-linked hackers

3 Mar 2021

Most Popular

How to build a CMS with React and Google Sheets
content management system (CMS)

How to build a CMS with React and Google Sheets

24 Feb 2021
Microsoft Exchange targeted by China-linked hackers
zero-day exploit

Microsoft Exchange targeted by China-linked hackers

3 Mar 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

26 Feb 2021