Moonpig, which sells customised greetings cards and other items via UK, US and Australian sites, has a significant security flaw that could expose customer details and partial credit card information. It was reported by Paul Price in August 2013 but remained unfixed.
The security hole means names, birth dates, email and street addresses can be accessed by changing the customer identification number sent in an API request.
It also allows orders to be placed under any account and could allow access to the last four digits of credit cards and expiry dates. The lack of any limit on API requests meant that unscrupulous parties could easily mine Moonpig for customer data.
Unsurprisingly, Twitter is awash with customers asking Moonpig for information on how to close their accounts and what the company will do to protect their data. It has yet to comment. We have also contacted the company for a statement and will update this post accordingly.
While the API in question appears to have been shut off for the time being, there seems to be no online means of closing a Moonpig account. Instead customers are directed to call the company.
In his security advisory, Price says: “I’ve seen some half-arsed security measures in my time but this just takes the biscuit. Whoever architected this system needs to be waterboarded.”
After his initial contact with Moonpig in 2013, he followed up in September 2014 and was told that a fix would be instituted by Christmas. When it was not, Price concluded that “[about] 17 months is more than enough time to fix an issue like this. It appears customer privacy is not a priority to Moonpig.”
Rather appropriately, Moonpig’s parent company, Photobox, is currently advertising for a Security Officer (Moonpig). Let’s hope it speeds up that recruitment process.
Update: MoonPig has tweeted the statement below. As replies to the tweet note, it doesn’t address the question of other personal account information or why the security hole went unfixed for such a long period.
We are aware of claims re customer data and can confirm that all password and payment information is and has always been safe.
— Moonpig (@MoonpigUK) January 6, 2015
The company has also sent us this longer statement:
“We are aware of the claims made this morning regarding the security of customer data within our Apps. We can assure our customers that all password and payment information is and has always been safe. The security of your shopping experience at Moonpig is extremely important to us and we are investigating the detail behind today’s report as a priority. As a precaution, our Apps will be unavailable for a time whilst we conduct these investigations and we will work to resume a normal service as soon as possible. The desktop and mobile websites are unaffected.”
➤ Moonpig vulnerability [ifc0nfig]