Moonpig, a popular UK-based firm that sells personalised greeting cards, has put the personal and financial information of over 3 million of its customers in danger by using a flawed API.
The flaw allowed anyone to access – and harvest – the name, date of birth, email and home address of each registered customer, as well as the last four digits and expiry date of the payment card they associated with the account, by simply changing the Customer ID number sent in the API request.
“An attacker could easily place orders on other customers accounts, add/retrieve card information, view saved addresses, view orders and much more,” explained developer Paul Price, who discovered the weakness in August 2013.
He then duly and responsibly disclosed it to the vendor, and they said that they’ll fix it immediately.
More than a year later, in September 2014, the flaw was still there, and Price reiterated his request for it to be fixed. They didn’t.
Finally, his patience ran out on Monday, January 5, when he published the details of the flaw on his blog.
“Initially I was going to wait until they fixed their live endpoints but given the timeframes I’ve decided to publish this post to force Moonpig to fix the issue and protect the privacy of their customers (who knows who else knows about this!),” he noted. “~17 months is more than enough time to fix an issue like this.”
This move apparently got the firm’s attention. “Although there’s been no offical comment from Moonpig it seems they have taken the API offline around 3 hours after this post was published,” Price shared.
The company has finally reacted publicly an hour ago:
“You may have seen reports this morning about our Apps and the security of customer details when shopping with Moonpig. We can assure our customers that all password and payment information is and has always been safe. The security of your shopping experience at Moonpig is extremely important to us and we are investigating the detail behind today’s report as a priority. As a precaution, our Apps will be unavailable for a time whilst we conduct these investigations and we will work to resume a normal service as soon as possible. The desktop and mobile websites are unaffected.”
I notice that they didn’t mention that the customers’ personal information was and is safe. Disgruntled users have noticed that, too.