The flaw, which was identified by researcher Paul Price, allowed hackers to bypass authentication security and place orders, as well as see and add payment information.
“With just a small amount of computer knowledge, you would be able to interrogate Moonpig’s database remotely,” said security expert Graham Cluley. “It would spit back names, email addresses, dates of birth, real addresses and partial credit card information.
“There is an API call, which allows the app to speak to the Moonpig database on its website. When you use it, you just send a numerical value. You should only be able to do that for your own account but, if you edit it, Moonpig presumes you mean another customer and returns their details.
“It is not full credit card details but these are all pieces of the jigsaw and can be pieced together for ID theft.”
This is nothing new. We’re used to hearing about security breaches and flaws on a very frequent basis these days, so the fact that another organisation has fallen foul doesn’t come as too much of a surprise. In fact, a group of students at the University of California Riverside have recently found that the success rate in hacking smartphone apps is 92 per cent.
With hackers evolving to bypass security, the ease of which is shown in the video below, we’ll probably keep hearing about such events in the future.
But what sets this situation apart, however, is the fact that Price claims the flaw was left unfixed for 17 months, despite the company being made aware of it.
“There’s no authentication at all and you can pass in any customer ID to impersonate them,” suggests Price. “An attacker could easily place orders on other customers’ accounts, add/retrieve card information, view saved addresses, view orders and much more.”
Ross Brewer, vice president and managing director for international markets at LogRhythm, said: “We have reached a stage when it’s a case of when, not if, a security incident occurs for most businesses today. What is unbelievable is the fact that Moonpig was made aware of the fact there was an issue almost two years ago and, as far as can be seen, did nothing about it.
“For any organisation, and particularly for retail businesses, customers are really the only thing that keeps them going. Showing such flagrant disregard for the safety of their data is unforgivable, and you can be sure many members of the public will see it in the same way.”
LogRythm research has shown that 56 per cent of people said they either don’t do business with an organisation that has suffered a breach, or at least limit the amount of information they share with them.
“This indicates that Moonpig could face a quick decline in customers following this news,” suggests Brewer.
“The financial repercussions of any breach can be severe, thanks to lost customers, income and fines that may be levied, and the longer flaws are left open, the worse that loss is likely to be. With the security landscape as it is today, there really is no excuse for organisations not to have the tools in place to identify risks and fix problems as soon as they are identified.”
No flaw should take 17 months to rectify, particularly when it’s already been identified, and leaving it for so long is asking for trouble – from multiple angles.
“Given the timeframes I’ve decided to force Moonpig to fix the issue and protect the privacy of their customers,” Price said. “It appears customer privacy is not a priority to Moonpig.”
Share this story