Update 06/01/2015 11:40am: Moonpig have made their first public announcement in regards to the vulnerability. Earlier this morning they tweeted:
We are aware of claims re customer data and can confirm that all password and payment information is and has always been safe.
— Moonpig (@MoonpigUK) January 6, 2015
Which, unsurprisingly, was met with a wave of responses from the public:
— James Seymour-Lock (@JamesSLock) January 6, 2015
A vulnerability that makes customer information public has been found on online personalised card company Moonpig’s android app.
The developer who discovered the vulnerability said in a post on his website “An attacker could easily place orders on other customers accounts, add/retrieve card information, view saved addresses, view orders and much more.”
The vulnerability can be exploited by changing the customer ID number sent in an API request, which allows access to another user’s account without any further authentication. This is a stunningly basic flaw that almost any attacker could use to harvest personal data, make fraudulent orders, and even gather some payment card details.
The story gets worse.
Developer Paul Price first notified Moonpig of the vulnerability in August 2013, to which Moonpig responded that they would “get right on it”.
13 months later, the vulnerability still existed and after another email from Paul, Moonpig responded that they would have the issue resolved “after Christmas”.
As you can guess, Moonpig didn’t stay true to their word, forcing Price to go public.
While some will criticise Price for going public instead of reaching out to an enforcement authority like the Information Commissioner, it appears his efforts have finally been successful. At the time of writing this article, Moonpig has taken the API offline.
- Run regular penetration tests of all Internet-facing resources.
- If you get several warnings about a security hole, FIX IT!