Unpatched security hole has left millions of Moonpig customers at risk for 17 months

Moonpig, the online personalised card company, has been accused of a shockingly sloppy attitude to security, after apparently leaving a serious hole in its security unpatched.

The vulnerability, which was said to have been first reported to Moonpig back in August 2013 (yes, 2013) allows anyone with a modicum of programming knowledge to access the names, dates of birth, email and home addresses of the company’s 3.6 million customers.

All that it takes is to change the Customer ID number sent in an API request. No authentication is required.

Developer Paul Price discovered the serious security hole back in August 2013 (yes, 2013) and told Moonpig about the problem. Frustrated by the company’s lack of response after some 17 months, Price has now gone public.

In Price’s tests he discovered that the API calls were not rate-limited, meaning that in theory it appears it would be possible to work your way through every variation of the Customer ID and eventually access the personal details for all of Moonpig’s users.

Moonpig vulnerability

News of the flaw quickly spread on Twitter last night to such an extent that “Moonpig” was trending in London.

Sadly Moonpig’s UK branch appeared to be oblivious to furore, telling followers it had settled down with a nice cup of tea to watch the latest series of David Tennant detective drama “Broadchurch”:

Price, who says he responsibly disclosed the vulnerability to Moonpig on 18 August 2013 and again a year later on 26 September 2014, is clearly unimpressed:

“I’ve seen some half-arsed security messures in my time but this just takes the biscuit. Whoever architected this system needs to be shot waterboarded.”

Clearly, Moonpig’s system was not built with security in mind. That’s very bad, as its databases contains sensitive information and it could clearly be easily abused by online criminals and fraudsters.

But what I find worse is Moonpig’s failure to adequately respond when it has been given such a long time to do so.

Personally, I would have preferred it if Price had taken his findings to a security journalist rather than made details of the vulnerability public, and the media could have applied pressure on Moonpig to resolve the issue.

However, after waiting 17 months, I can certainly understand the frustration felt by someone who has tried to get the problem fixed and found a company that clearly wasn’t listening.

At the time of writing, Moonpig appears to have shut down access to its offending API. However, it hasn’t as yet made any public response on its Twitter account. Maybe it’s still reeling from the events of the episode of “Broadchurch” it was watching…

Author Graham Cluley, We Live Security

  • Janet

    Thank you for this information, Graham! I was about to place an order from here in Canada on their website!

  • Gen. Chang

    Hey,Eset and Graham,

    Saw you article on Flipboard this morning! More security outfits should make their stuff available on Flipboard too. The people have a great need to be educated on how to protect themselves. Keep up the good work,and thanks!

  • fingerssteve

    Hia, Should I cancel the card who’s details I gave to Moonpig last October?

    • Well, that’s up to you. According to Paul Price, it was possible when the API was live to get the card type, customer ID, expiry date, last four digits, and the name on the card. But not the full card number or CVV. That might be enough to allow misuse in _some_ circumstances, especially in combination with other stolen information. But it doesn’t mean that your data actually _have_ been stolen. At the least, you need to be sure you’re tracking your credit card statements. But that was always true.

Follow us

Copyright © 2017 ESET, All Rights Reserved.