Moonpig’s logo. Photograph: Moonpig.com
Greetings card website Moonpig has shut down its mobile apps after a security bug exposed personal details of 3 million customers.
The flaw, described by one observer as “the worst security I’ve ever seen from a large company”, let any attacker access the personal details of every single customer on the website, as well as view past orders and place new ones on any of their accounts.
“The industry standard is usually within 90 days, I gave them 13 months, ” he told the Guardian. “I then gave them an extra four months and still no fix. It’s at this point I decided to go public with my findings.
“It wasn’t an easy decision as it was a live vulnerability but I know it would grab Moonpig’s attention and force them to fix it. Who knows how long this has been ‘in the wild’ and if hackers are routinely scraping Moonpigs customers data for the last two years?”
Only after Price’s post was published did MoonPig close access to their mobile apps, sealing off the security hole.
“I’ve seen some half-arsed security measures in my time but this just takes the biscuit, ” wrote Price. “Whoever architected this system needs to be
The vulnerability is found in the section of software that lets MoonPig’s mobile apps communicate with its servers, called an application programming interface (API). Price found that, rather than securely sending information protected by an individual’s username and password, the API sent every request protected by the same credentials, regardless of which user was signed in.
The only way the app knew which user’s account it was dealing with was a nine-digit number, transmitted unencrypted. Accessing another user’s account was as easy for Price as changing that number and re-sending the request, and grants information including postal addresses, birthdays, email addresses, phone numbers, and a portion of credit card data, including the last four digits and expiry dates. Passwords are not leaked, nor enough credit card data to make a purchase.