Moonpig flaw exposed customer details for 17 months

Personalised cards service, Moonpig, failed to fix a serious hole in its security that was first reported 17 months ago, potentially exposing the personal details of millions of customers. The vulnerability, discovered by developer Paul Price, gave attackers easy access to customers’ names, addresses, email addresses, birthdays and even some digits from their credit card numbers.

The flaw was found in the API that allows other web services to interact with Moonpig. The flaw potentially allowed attackers to enter any customer ID number and receive the customer’s personal data in return. The API required no authentication, and there was no limit to the number of times users could access the API, potentially allowing attackers to keep plugging away at customer ID numbers until they had gathered millions of customers’ details. 

“I’ve seen some half-arsed security measures in my time but this just takes the biscuit,” wrote Price on the blog exposing the flaw. “Whoever architected this system needs to be waterboarded.” 

“Given that customer IDs are sequential an attacker would find it very easy to build up a database of Moonpig customers along with their addresses and card details in a few hours – very scary indeed,” Price added. 

Price claims he first informed Moonpig of the flaw in August 2013, when the company apparently promised to “get right on it”. He allegedly exchanged further correspondence with the company last September, when it promised to look at the problem after Christmas. Price’s patience finally snapped yesterday, when he published details of the flaw, seemingly prompting Moonpig to take down the offending API. 

Internet security expert Graham Cluley says the company’s failure to fix the flaw is harder to forgive than the sloppy coding. “Clearly, Moonpig’s system was not built with security in mind,” he writes on his WeLiveSecurity blog. “That’s very bad, as its databases contains sensitive information and it could clearly be easily abused by online criminals and fraudsters. But what I find worse is Moonpig’s failure to adequately respond when it has been given such a long time to do so.”

In a statement sent to Expert Reviews, Moonpig said: “We are aware of the claims made this morning regarding the security of customer data within our Apps. We can assure our customers that all password and payment information is and has always been safe. The security of your shopping experience at Moonpig is extremely important to us and we are investigating the detail behind today’s report as a priority. As a precaution, our Apps will be unavailable for a time whilst we conduct these investigations and we will work to resume a normal service as soon as possible. The desktop and mobile websites are unaffected.”

Moonpig declined to comment on why it had taken 17 months to address the reported flaw.