IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Moonpig API flaw allegedly exposes millions of customer details

Greeting card company fails to address vulnerability for 17 months, claims developer

Piggy bank

An API flaw has left the personal details of three million Moonpig.com customers exposed for nearly 18 months since the problem was first reported, it is claimed.

The greeting card company allegedly left the issue unaddressed for 17 months, after developer Paul Price said he first warned Moonpig about the problem in August 2013.

He said hackers could access customer names, addresses, telephone numbers and partial credit card details simply by changing the customer identification number sent as part of a normal app API request.

Price contacted the company again in September when no action had been taken, but decided to disclose the flaw publicly yesterday when he saw no fix had been issued.

He wrote in a blog post: "I've seen some half-arsed security measures in my time but this just takes the biscuit. Whoever architected this system needs to be shot waterboarded."

The developer demonstrated how an HTTP request from Moonpig's Android app to the Moonpig API sent a standard, non-customer specific username and password.

By changing the customer ID when logging into the app, he could access others' accounts and view saved addresses, personal details and card information.

"There's no authentication at all and you can pass in any customer ID to impersonate them," he said. "An attacker could easily place orders on other customers accounts, add/retrieve card information, view saved addresses, view orders and much more."

He warned that Moonpig's API flaw provided easy pickings for hackers to steal customer records.

"Given that customer IDs are sequential an attacker would find it very easy to build up a database of Moonpig customers along with their addresses and card details in a few hours - very scary indeed," he wrote.

The Information Commissioner's Office (ICO) tweeted earlier to say: "We are aware of the incident at Moonpig and are looking into the details." The body can levy fines of up to 500,000 against firms that have suffered data leaks.

Chris Boyd, malware intelligence analyst at Malwarebytes, criticised Moonpig's delay in responding to customers.

He said: "Too much time has elapsed between notification and any attempt at a fix. At the very least, one would expect the company to notify customers by email to let them know there's an issue, providing steps they can take to try and avoid falling foul of anybody using this for personal gain.

"Issues such as these can prove very costly to companies, and now the Information Commissioner's Office is looking at the details the fallout could be severe."

Moonpig is believed to have pulled its API offline a few hours after Price's blog post appeared yesterday, and a spokeswoman said its apps are currently unavailable as it conducts investigations.

She said: "We are aware of the claims made this morning regarding the security of customer data within our Apps. We can assure our customers that all password and payment information is and has always been safe. The security of your shopping experience at Moonpig is extremely important to us and we are investigating the detail behind today's report as a priority.

"As a precaution, our apps will be unavailable for a time whilst we conduct these investigations and we will work to resume a normal service as soon as possible. The desktop and mobile websites are unaffected."

This article was originally published on January 5th, 2015, and was updated at 11.40am then 12pm the same date to include Moonpig's statement and the ICO's statement.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Ten ways to protect your company from the next big data breach
data breaches

Ten ways to protect your company from the next big data breach

18 Feb 2022
Gumtree site code made personal data of users and sellers publicly accessible
data protection

Gumtree site code made personal data of users and sellers publicly accessible

16 Dec 2021
Pizza chain exposed 100,000 employees' Social Security numbers
data breaches

Pizza chain exposed 100,000 employees' Social Security numbers

19 Nov 2021
83% of critical infrastructure companies have experienced breaches in the last three years
cyber security

83% of critical infrastructure companies have experienced breaches in the last three years

11 Nov 2021

Most Popular

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
IT admin deletes company’s databases and is jailed for seven years
Policy & legislation

IT admin deletes company’s databases and is jailed for seven years

16 May 2022