Moonpig left user details vulnerability unfixed for over a year

6 Jan 2015

Moonpig image via Moonpig.com

Moonpig, the online greeting card company, has come under fierce criticism for leaving a vulnerability in its mobile app for more than a year and a half that allowed customer information to be accessed.

Online security expert Paul Price, who writes for ifc0nfig.com, has had a running battle with the company. He alerted Moonpig numerous times over the last year and a half to the vulnerability that affects as many as 3m customers as far back as August 2013, but only now after receiving significant media attention has the API been removed online.

By looking at the Android app’s API HTTP requests, Price was able to determine there was no authentication whatsoever on the app and with a few simple clicks he was able to find his tested user information and access the account.

This process could then be repeated easily for anyone else’s user ID and obtain all the payment information that he or she would have on his or her account.

In fact, after further snooping, Price came across one piece of code entitled ‘GetCreditCardDetails’ which did exactly that.

While only providing the last four digits of the credit-card number, all the other data relating to his test account was visible.

12 months’ notice before going public

Price said in an interview with The Guardian that he gave Moonpig 16 months to fix the issue or go public, despite the industry standard being closer to 90 days.

In his blog, Price wrote, “I’ve seen some half-arsed security messures (sic) in my time but this just takes the biscuit. Whoever architected this system needs to be waterboarded.”

Moonpig’s parent company, Photobox, has since issued a statement on its website dismissing the idea that its customers’ accounts were vulnerable.

“We can assure our customers that all password and payment information is and has always been safe,” said the statement.

Colm Gorey was a senior journalist with Silicon Republic

editorial@siliconrepublic.com