What We Learned From The Moonpig Website Bug

How should companies respond to vulnerability discoveries and do they have an ethical obligation to protect customer data?

When developer Paul Price published a blog this week detailing what he described as a serious vulnerability in Moonpig’s website, the popular greetings card company shut down its mobile apps while it investigates the matter.

Price, however, claims to have first warned the company about the flaw way back in 2013 and only went public due to what he says is Moonpig’s inaction to fix the problem.

The vulnerability is said to lie in the website’s application programming interface (API), a set of routines, protocols, and tools for building software applications.

The flaw gave hackers access to customer ID numbers by sending in an API request, which required no authentication. API calls were not rate-limited, so attackers could work their way through different combinations until they discovered each customer ID. As well as accessing contact details, they could see the last four digits of a saved credit card and place orders on someone else’s card.

The issue is very serious, with about three million customers’ data potentially at risk should the flaw be genuine. So what can we learn from this? Here’s what industry commentators have to say:

Eldar Tuvey, CEO of mobile security company Wandera

The latest Moonpig security breach highlights the continued vulnerabilities in mobile app security. During 2014 we saw a number of high profile hacks including the iCloud leak and Forbes.com.

moonpigWe know that increasingly people are using apps on both their personal and work phones – latest Wandera research reveals 70% of users are exposed to insecure apps on their mobile devices, which for businesses presents a big risk to corporate security, as well as personal information.

This case is a reminder that well-known brands and big businesses need to take mobile security more seriously than ever before, as it’s crucial to always protect customers data and own corporate data. Poor programming often results in apps inadvertently leaking sensitive user information, opening a window of opportunity for a hacker to look into customers’ credit card details and obtain other personal information from their accounts. We see 1 to 2 new apps used in our network of global employees every day which suffer from this vulnerability.

Apps using only basic authentication can in some scenarios open up the possibility of a Man in the Middle Attack being staged. Having a multi-layered mobile security solution in place is critical, and utilising algorithms to detect patterns that signal malicious or risky behaviour is proving to be an effective solution.

Ross Brewer, managing director for international markets at LogRhythm

“We’re used to hearing about security breaches and flaws on a very frequent basis these days, so the fact that another organisation has fallen foul doesn’t come as too much of a surprise. We have, after all, reached a stage when it’s a case of when, not if, a security incident occurs for most businesses today. What is unbelievable is the fact that Moonpig was made aware of the fact there was an issue almost two years ago and, as far as can be seen, did nothing about it.

“For any organisation, and particularly for retail businesses, customers are really the only thing that keeps them going. Showing such flagrant disregard for the safety of their data is unforgiveable, and you can be sure many members of the public will see it in the same way. In fact, a recent survey conducted by LogRhythm found that 56 percent of people said they either don’t do business with an organisation that has suffered a breach, or at least limit the amount of information they share with them – which indicates Moonpig could face a quick decline in customers following this news.

“The financial repercussions of any breach can be severe, thanks to lost customers, income and fines that may be levied, and the longer flaws are left open, the worse that loss is likely to be. With the security landscape as it is today, there really is no excuse for organisations not to have the tools in place to identify risks and fix problems as soon as they are identified. Understanding normal network activity is crucial to ensuring its security, and can severely reduce the time it takes to detect threats. No flaw should take 17 months to rectify, particularly when it’s already been identified, and leaving it for so long is asking for trouble – from multiple angles.”

David Emm, principal security researcher at Kaspersky Lab

“As we understand it, the reported vulnerability has not so far been used to steal personal information of Moonpig customers. However, it seems that the vulnerability, if confirmed, would allow an attacker to access the account details of other customers. Moonpig is telling its customers that all password and payment information is secure but has made its mobile apps unavailable while it conducts further investigation.

“It’s important that companies take information about a vulnerability in their products very seriously. After discovering a bug, researchers typically try to contact the company first and give them time to fix the issue before going public with their findings. If this vulnerability is confirmed, and it’s true that Moonpig has previously failed to take any action to protect their customers for almost a year and a half, this is alarming – especially for a provider of an online shopping application used to transmit highly sensitive data. In recent years a number of companies have been willing to publicly acknowledge such issues and take steps to remedy the situation and offer advice to customers.

“Clearly there are two aspects to any online transaction. We all have a responsibility to secure ourselves by only using secure web sites, legitimate apps and using unique, complex passwords to ensure that if one account is compromised it doesn’t put all our other online accounts in jeopardy. However, providers also have a responsibility to ensure secure communication between the customers and their own systems.”

Bob West, chief trust officer at CipherCloud

“The response to this breach has been particularly slow. Based on the researcher’s analysis, authentication was not in place for consumers. For a company to be aware of a basic security issue for more than 17 months is gross negligence. Because companies that process payments are custodians of customer data, they have a legal and, I would argue, ethical obligation to protect that information.

“From a legal and regulatory perspective, ICO (UK jurisdiction) and Payment Card Industry (PCI) mandates require stronger security practices, such as data encryption for safeguarding consumer privacy. In my view, companies also have an ethical duty to protect consumer privacy. When customers hand over their data for a commercial transaction, they should be able to trust that the vendor will take sufficient measures to protect that data As any good salesperson can attest, trust is an inherent component of the customer relationship.”

Trey Ford, global security strategist, Rapid7

“APIs have been an area of concern in the cybersecurity community for years. An internet exposed API (Application Program Interface) is serving requests from the public internet – they are often poorly documented, insufficiently logged, and routinely overlooked in security testing. This is further complicated by different developers using and expanding the API in unexpected ways. Moonpig, like many other organisations should be, is taking a hard look at the security of their APIs.”

Chris Boyd, malware intelligence analyst, Malwarebytes

“I think most would agree that Moonpig has been slow to react here, too much time has elapsed between notification and any attempt at a fix. At the very least, one would expect the company to notify customers by email to let them know there’s an issue, providing steps they can take to try and avoid falling foul of anybody using this for personal gain. Issues such as these can prove very costly to companies, and now the Information Commissioner’s Office is looking at the details the fallout could be severe.”

How much do you know about Internet security? Take our quiz!