Moonpig API flaw allegedly exposes millions of customer details

Piggy bank

An API flaw has left the personal details of three million customers exposed for nearly 18 months since the problem was first reported, it is claimed.

The greeting card company allegedly left the issue unaddressed for 17 months, after developer Paul Price said he first warned Moonpig about the problem in August 2013.

He said hackers could access customer names, addresses, telephone numbers and partial credit card details simply by changing the customer identification number sent as part of a normal app API request.

Price contacted the company again in September when no action had been taken, but decided to disclose the flaw publicly yesterday when he saw no fix had been issued.

He wrote in a blog post: "I've seen some half-arsed security measures in my time but this just takes the biscuit. Whoever architected this system needs to be shot waterboarded."

The developer demonstrated how an HTTP request from Moonpig's Android app to the Moonpig API sent a standard, non-customer specific username and password.

By changing the customer ID when logging into the app, he could access others' accounts and view saved addresses, personal details and card information.

"There's no authentication at all and you can pass in any customer ID to impersonate them," he said. "An attacker could easily place orders on other customers accounts, add/retrieve card information, view saved addresses, view orders and much more."

He warned that Moonpig's API flaw provided easy pickings for hackers to steal customer records.

"Given that customer IDs are sequential an attacker would find it very easy to build up a database of Moonpig customers along with their addresses and card details in a few hours - very scary indeed," he wrote.

The Information Commissioner's Office (ICO) tweeted earlier to say: "We are aware of the incident at Moonpig and are looking into the details." The body can levy fines of up to 500,000 against firms that have suffered data leaks.

Chris Boyd, malware intelligence analyst at Malwarebytes, criticised Moonpig's delay in responding to customers.

He said: "Too much time has elapsed between notification and any attempt at a fix. At the very least, one would expect the company to notify customers by email to let them know there's an issue, providing steps they can take to try and avoid falling foul of anybody using this for personal gain.

"Issues such as these can prove very costly to companies, and now the Information Commissioner's Office is looking at the details the fallout could be severe."

Moonpig is believed to have pulled its API offline a few hours after Price's blog post appeared yesterday, and a spokeswoman said its apps are currently unavailable as it conducts investigations.

She said: "We are aware of the claims made this morning regarding the security of customer data within our Apps. We can assure our customers that all password and payment information is and has always been safe. The security of your shopping experience at Moonpig is extremely important to us and we are investigating the detail behind today's report as a priority.

"As a precaution, our apps will be unavailable for a time whilst we conduct these investigations and we will work to resume a normal service as soon as possible. The desktop and mobile websites are unaffected."

This article was originally published on January 5th, 2015, and was updated at 11.40am then 12pm the same date to include Moonpig's statement and the ICO's statement.