Moonpig API flaw allegedly exposes millions of customer details

Greeting card company fails to address vulnerability for 17 months, claims developer

Piggy bank

An API flaw has left the personal details of three million Moonpig.com customers exposed for nearly 18 months since the problem was first reported, it is claimed.

The greeting card company allegedly left the issue unaddressed for 17 months, after developer Paul Price said he first warned Moonpig about the problem in August 2013.

Advertisement - Article continues below

He said hackers could access customer names, addresses, telephone numbers and partial credit card details simply by changing the customer identification number sent as part of a normal app API request.

Price contacted the company again in September when no action had been taken, but decided to disclose the flaw publicly yesterday when he saw no fix had been issued.

He wrote in a blog post: "I've seen some half-arsed security measures in my time but this just takes the biscuit. Whoever architected this system needs to be shot waterboarded."

The developer demonstrated how an HTTP request from Moonpig's Android app to the Moonpig API sent a standard, non-customer specific username and password.

By changing the customer ID when logging into the app, he could access others' accounts and view saved addresses, personal details and card information.

"There's no authentication at all and you can pass in any customer ID to impersonate them," he said. "An attacker could easily place orders on other customers accounts, add/retrieve card information, view saved addresses, view orders and much more."

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

He warned that Moonpig's API flaw provided easy pickings for hackers to steal customer records.

"Given that customer IDs are sequential an attacker would find it very easy to build up a database of Moonpig customers along with their addresses and card details in a few hours - very scary indeed," he wrote.

The Information Commissioner's Office (ICO) tweeted earlier to say: "We are aware of the incident at Moonpig and are looking into the details." The body can levy fines of up to 500,000 against firms that have suffered data leaks.

Chris Boyd, malware intelligence analyst at Malwarebytes, criticised Moonpig's delay in responding to customers.

He said: "Too much time has elapsed between notification and any attempt at a fix. At the very least, one would expect the company to notify customers by email to let them know there's an issue, providing steps they can take to try and avoid falling foul of anybody using this for personal gain.

Advertisement - Article continues below

"Issues such as these can prove very costly to companies, and now the Information Commissioner's Office is looking at the details the fallout could be severe."

Moonpig is believed to have pulled its API offline a few hours after Price's blog post appeared yesterday, and a spokeswoman said its apps are currently unavailable as it conducts investigations.

She said: "We are aware of the claims made this morning regarding the security of customer data within our Apps. We can assure our customers that all password and payment information is and has always been safe. The security of your shopping experience at Moonpig is extremely important to us and we are investigating the detail behind today's report as a priority.

"As a precaution, our apps will be unavailable for a time whilst we conduct these investigations and we will work to resume a normal service as soon as possible. The desktop and mobile websites are unaffected."

This article was originally published on January 5th, 2015, and was updated at 11.40am then 12pm the same date to include Moonpig's statement and the ICO's statement.

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now
Advertisement
Advertisement

Recommended

Visit/security/encryption/355820/k2view-innovates-in-data-management-with-new-encryption-patent
encryption

K2View innovates in data management with new encryption patent

28 May 2020
Visit/software/video-conferencing/355410/zoom-50-adds-256-bit-encryption-and-ui-refresh
video conferencing

Zoom 5.0 adds 256-bit encryption to address security concerns

23 Apr 2020
Visit/security/hacking/355382/whatsapps-flaw-shoulder-surfing
hacking

WhatsApp flaw leaves users open to 'shoulder surfing' attacks

21 Apr 2020
Visit/security/cyber-security/355368/microsoft-builds-ai-to-detect-security-flaws-with-99-accuracy
cyber security

Microsoft AI can detect security flaws with 99% accuracy

20 Apr 2020

Most Popular

Visit/server-storage/network-attached-storage-nas/355849/western-digital-sneaked-inferior-smr-tech-into
network attached storage (NAS)

Western Digital accused of sneaking inferior SMR tech into NAS drives

1 Jun 2020
Visit/security/data-breaches/355777/easyjet-faces-class-action-lawsuit-over-data-breach
data breaches

EasyJet faces class-action lawsuit over data breach

26 May 2020
Visit/operating-systems/microsoft-windows/355812/microsoft-warns-against-installing-windows-10-may-2020
Microsoft Windows

Microsoft warns users not to install Windows 10's May update

28 May 2020