Developer Says Moonpig’s Website Architect Should Be Shot Or Waterboarded

Popular greetings card website Moonpig.com has rubbished accusations that its customers’ data is at risk, but has shut down its mobile apps while it investigates the claim.

Developer Paul Price says he discovered a vulnerability in the website that gives any attacker access to the personal details of every Moonpig customer, as well as allowing them to view past orders and place new ones on any of their accounts. In total, this would mean 3 million customers’ data is exposed.

Application programming interface

Price says the problem lies in the website’s application programming interface (API), a set of routines, protocols, and tools for building software applications.

The flaw gave hackers access to customer ID numbers by sending in an API request, which required no authentication. API calls were not rate-limited, so attackers could work their way through different combinations until they discovered each customer ID. As well as accessing contact details, they could see the last four digits of a saved credit card and place orders on someone else’s card.

Price claims to have found the security bug back in 2013 and says he disclosed details of the flaw to Moonpig privately on August 18 2013. Price said that inaction by Moonpig led to him going publish with the matter in a recent blog post to “force Moonpig to fix the issue and protect the privacy of their customers”.

In it, he wrote: “I’ve seen some half-arsed security measures in my time but this just takes the biscuit. Whoever architected this system needs to be shot waterboarded (sic).”

Moonpig is adamant that is customers’ data is safe, though, commenting: “We are aware of the claims made this morning regarding the security of customer data within our Apps. We can assure our customers that all password and payment information is and has always been safe. The security of your shopping experience at Moonpig is extremely important to us and we are investigating the detail behind today’s report as a priority.

“As a precaution, our Apps will be unavailable for a time whilst we conduct these investigations and we will work to resume a normal service as soon as possible. The desktop and mobile websites are unaffected.”

Chris Boyd, malware intelligence analyst at Internet security software firm, Malwarebytes, said: “I think most would agree that Moonpig has been slow to react here, too much time has elapsed between notification and any attempt at a fix. At the very least, one would expect the company to notify customers by email to let them know there’s an issue, providing steps they can take to try and avoid falling foul of anybody using this for personal gain. Issues such as these can prove very costly to companies, and now the Information Commissioner’s Office is looking at the details the fallout could be severe.”

Are you an Internet security boffin? Take our quiz!