Moonpig, the online mail order greeting card service is accountable for a flaw that exposes personal records and partial credit card details for over three million customers. This flaw persisted and was not snuffed out until 18 months after it was reported.
Developer Paul Price is responsible for identifying it and privately reporting it to the authorities concerned. This security loophole posed a significant threat since anyone could imitate another user of the website, giving them access to their credit card details, names, birth dates, email and street addresses- all of these could be accessed by changing the customer identification number sent in an API request. This insecure API gave out credit card expiry dates and the last four digits of their credit card details.
“I’ve seen some half-arsed security measures in my time but this just takes the biscuit. Whoever architect this system needs to be waterboarded,” Price commented.
He further explained, “Every API request is like this: there’s no authentication at all and you can pass in any customer ID to impersonate them. An attacker could easily place orders on other customers’ accounts, add or retrieve card information, view saved addresses, view orders and much more.”
In spite of being notified of the flaw in August 2013, and being sent a follow up email in September, the problem was procrastinated as it was pushed to be resolved “after Christmas.” Finding the mail order greeting service’s team non-responsive and the flaw still out there serving as a cash-cow for the vandals and hacker bots to take advantage of, Price decided to make the flaw public to “force Moonpig to fix the issue and protect the privacy of their customers”.
Mail order greeting service, Moonpig, in response, has taken the app offline. A spokesperson for Moonpig said, “The security of your shopping experience at Moonpig is extremely important to us and we are investigating the details behind today’s report as a priority. As a precaution, our Apps will be unavailable for a time whilst we conduct these investigations and we will work to resume a normal service as soon as possible. The desktop and mobile websites are unaffected.”