Moonpig Flaw Leaves User Info Exposed for Over a Year

Written by

Bespoke card maker Moonpig has come under fire after failing for over 16 months to fix a flaw which could allow attackers to fairly easily lift the personal details of customers.

The vulnerability was first reported privately to the company by researcher Paul Price in August 2013 and then again a year later with the firm apparently doing nothing to deal with the issue, he claimed in a blog post.

“I've seen some half-arsed security measures in my time but this just takes the biscuit. Whoever architected this system needs to be waterboarded,” he wrote.

“~17 months is more than enough time to fix an issue like this. It appears customer privacy is not a priority to Moonpig.”

The flaw in question allows access to customer names, birthdays, email and regular addresses, and partial card numbers simply by changing the customer ID number sent in an API request, he explained.

“Every API request is like this, there's no authentication at all and you can pass in any customer ID to impersonate them,” wrote Price.

“An attacker could easily place orders on other customers accounts, add/retrieve card information, view saved addresses, view orders and much more.”

The API calls are also "non-rate limited," meaning attackers could theoretically nab the details of all of Moonpig’s 3m+ customers.

The firm has not responded with any official comment but Price claimed it has taken the API in question offline.

Security commentator Graham Cluley criticized Moonpig’s slow response in a blog post.

“Clearly, Moonpig’s system was not built with security in mind. That’s very bad, as its databases contains sensitive information and it could clearly be easily abused by online criminals and fraudsters,” he wrote.

“But what I find worse is Moonpig’s failure to adequately respond when it has been given such a long time to do so.”

The UK’s data protection watchdog the Information Commissioner’s Office (ICO) has also tweeted to say it is “looking into the details.”

Chris Boyd, malware intelligence analyst at Malwarebytes, argued that the fallout could be severe for Moonpig if the ICO decides on a fine.

"I think most would agree that Moonpig has been slow to react here, too much time has elapsed between notification and any attempt at a fix," he added.

"At the very least, one would expect the company to notify customers by email to let them know there's an issue, providing steps they can take to try and avoid falling foul of anybody using this for personal gain."

What’s hot on Infosecurity Magazine?