Published on January 6th, 2015 📆 | 3782 Views ⚑0
Moonpig flaw leaves 3 million customer accounts wide open for 17 months
The United Kingdom’s number one online greeting cards, mugs and gift articles selling portal has a significant flaw which if exploited by cyber criminals can expose personal records and credit card details for its three million plus customers. Ironically the flaw was brought to Moonpig’s notice almost 18 moths ago by developer Paul Price.
A simple API flaw can mean that anybody can access Moonpig’s every account along with customer names, birth dates, and email and street addresses. They can be accessed by changing the customer identification number sent in an API request. Further anybody can place orders through the accounts accessed. And anybody can see or obtain last four digits of credit card numbers and expiry dates using insecure API. These records can than be used to make fraudulent purchases online. Price also reports that despite of the knowledge of the flaw, Moonpig’s administrators have not enabled Rate Limiters to stop the brute-force attacks thus making it doubly vulnerable to cyber criminals. Price made his finding known in rather terse language,
Moonpig.com is a business based in London and Guernsey which sells personalised greeting cards. Founded by Nick Jenkins, ‘Moonpig’ was his nickname at school, hence the name of the brand. The website was launched in July 2000, and in 2007 the company was responsible for 90 percent of the online greeting card market in the United Kingdom, with nearly six million cards shipped. Moonpig was notified of the flaw in August 2013 by Price about the flaw and the timeline of the events is given below :
- 18th Aug ’13 – (yes, 2013!) Initial contact made with vendor. After a few e-mails back and fourth their reasoning was legacy code and they’ll “get right on it”.
- 26th Sep ’14 – Follow up e-mail. Issue still not resolved. ETA “after Christmas
- 5th Jan ’15 – Vulnerability still exists with ample amount of time given to vendor to fix the issue.
After Price made the vulnerability public, Moonpig users took to social media to vent their ire on the admin but company did not respond to their complaints.
However the company seems to have patched the vulnerable API’s at the time . A spokesperson for Moonpig said: "We are aware of the claims made this morning regarding the security of customer data within our Apps. We can assure our customers that all password and payment information is and has always been safe. The security of your shopping experience at Moonpig is extremely important to us and we are investigating the detail behind today's report as a priority. As a precaution, our Apps will be unavailable for a time whilst we conduct these investigations and we will work to resume a normal service as soon as possible. The desktop and mobile websites are unaffected."