Moonpig may have leaked data on millions of customers

A security flaw first reported to Moonpig by a security expert in 2013 was exposed this morning after a fix had not been made, in order to ‘force the company to protect users’

Credit card details, full names and postal addresses of Moonpig’s 3.6m customers may have been accessible to hackers for over a year because of a security flaw in the website, claims a security expert.

Paul Price today published a blog post about the flaw and claims that he first discovered it and alerted Moonpig in August 2013, when they replied that they would “get right on it”.

A follow-up email in September 2014 also prompted no fix, he claims, and the vulnerability was still there as of this morning.

He decided to publish details “to force Moonpig to fix the issue and protect the privacy of their customers”.

“I’ve seen some half-a***d security measures in my time but this just takes the biscuit,” he wrote.

The flaw relates to the API, which is the collection of code used to connect to the service by the company’s mobile apps.

Messages passed between the Moonpig Android app and the company’s servers can be tweaked and used to coax sensitive information about other users, he demonstrated.

“An attacker could easily place orders on other customers accounts, add/retrieve card information, view saved addresses, view orders and much more,” he wrote.

“I hit my test users a few hundred times in quick succession and I was not rate limited. Given that customer IDs are sequential an attacker would find it very easy to build up a database of Moonpig customers along with their addresses and card details in a few hours – very scary indeed.”

Chris Boyd, malware intelligence analyst at security firm Malwarebytes, said: “I think most would agree that Moonpig has been slow to react here, too much time has elapsed between notification and any attempt at a fix.

“At the very least, one would expect the company to notify customers by email to let them know there’s an issue, providing steps they can take to try and avoid falling foul of anybody using this for personal gain. Issues such as these can prove very costly to companies, and now the Information Commissioner’s Office is looking at the details the fallout could be severe.”

A Moonpig spokesperson said “We are aware of the claims made this morning regarding the security of customer data within our Apps. We can assure our customers that all password and payment information is and has always been safe.

“The security of your shopping experience at Moonpig is extremely important to us and we are investigating the detail behind today’s report as a priority. As a precaution, our apps will be unavailable for a time whilst we conduct these investigations and we will work to resume a normal service as soon as possible. The desktop and mobile websites are unaffected.”

If you would like to know more about our Penetration Testing Services please feel free to contact us or call on 0330 124 3599 to find out more.

References from The Telegraph