Moonpig API flaw allegedly exposes millions of customer details

Greeting card company fails to address vulnerability for 17 months, claims developer

Piggy bank

An API flaw has left the personal details of three million Moonpig.com customers exposed for nearly 18 months since the problem was first reported, it is claimed.

The greeting card company allegedly left the issue unaddressed for 17 months, after developer Paul Price said he first warned Moonpig about the problem in August 2013.

He said hackers could access customer names, addresses, telephone numbers and partial credit card details simply by changing the customer identification number sent as part of a normal app API request.

Price contacted the company again in September when no action had been taken, but decided to disclose the flaw publicly yesterday when he saw no fix had been issued.

He wrote in a blog post: "I've seen some half-arsed security measures in my time but this just takes the biscuit. Whoever architected this system needs to be shot waterboarded."

The developer demonstrated how an HTTP request from Moonpig's Android app to the Moonpig API sent a standard, non-customer specific username and password.

By changing the customer ID when logging into the app, he could access others' accounts and view saved addresses, personal details and card information.

"There's no authentication at all and you can pass in any customer ID to impersonate them," he said. "An attacker could easily place orders on other customers accounts, add/retrieve card information, view saved addresses, view orders and much more."

He warned that Moonpig's API flaw provided easy pickings for hackers to steal customer records.

"Given that customer IDs are sequential an attacker would find it very easy to build up a database of Moonpig customers along with their addresses and card details in a few hours - very scary indeed," he wrote.

The Information Commissioner's Office (ICO) tweeted earlier to say: "We are aware of the incident at Moonpig and are looking into the details." The body can levy fines of up to 500,000 against firms that have suffered data leaks.

Chris Boyd, malware intelligence analyst at Malwarebytes, criticised Moonpig's delay in responding to customers.

He said: "Too much time has elapsed between notification and any attempt at a fix. At the very least, one would expect the company to notify customers by email to let them know there's an issue, providing steps they can take to try and avoid falling foul of anybody using this for personal gain.

"Issues such as these can prove very costly to companies, and now the Information Commissioner's Office is looking at the details the fallout could be severe."

Moonpig is believed to have pulled its API offline a few hours after Price's blog post appeared yesterday, and a spokeswoman said its apps are currently unavailable as it conducts investigations.

She said: "We are aware of the claims made this morning regarding the security of customer data within our Apps. We can assure our customers that all password and payment information is and has always been safe. The security of your shopping experience at Moonpig is extremely important to us and we are investigating the detail behind today's report as a priority.

"As a precaution, our apps will be unavailable for a time whilst we conduct these investigations and we will work to resume a normal service as soon as possible. The desktop and mobile websites are unaffected."

This article was originally published on January 5th, 2015, and was updated at 11.40am then 12pm the same date to include Moonpig's statement and the ICO's statement.

Featured Resources

The definitive guide to warehouse efficiency

Get your free guide to creating efficiencies in the warehouse

Free download

The total economic impact™ of Datto

Cost savings and business benefits of using Datto Integrated Solutions

Download now

Three-step guide to modern customer experience

Support the critical role CX plays in your business

Free download

Ransomware report

The global state of the channel

Download now

Recommended

Indiana notifies 750,000 after COVID-19 tracing data accessed
data breaches

Indiana notifies 750,000 after COVID-19 tracing data accessed

18 Aug 2021
Pearson fined $1 million for downplaying severity of 2018 breach
data breaches

Pearson fined $1 million for downplaying severity of 2018 breach

17 Aug 2021
“Great resignation” sparks concern over insider data leaks
data protection

“Great resignation” sparks concern over insider data leaks

13 Aug 2021
Data breach exposes millions of seniors' data
big data

Data breach exposes millions of seniors' data

9 Aug 2021

Most Popular

Zoom: From pandemic upstart to hybrid work giant
video conferencing

Zoom: From pandemic upstart to hybrid work giant

14 Sep 2021
What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
Citrix mulling potential sale after tumultuous 2021
mergers and acquisitions

Citrix mulling potential sale after tumultuous 2021

15 Sep 2021