Tuesday, 6 January 2015

MoonPig.Flawed as Company Exposes 3 Million Records

Moonpig’s brand reputation and business took a hefty hit today as a significant flaw is revealed that exposes some three million customers’ personal records and partial credit card details.  What’s more, as the news hits the web today it seems Moonpig knew of this almost 18 months ago.  So, what happened?

The failure, initially discovered and privately reported by developer, Paul Price, meant every account and the names, birth dates and email and street addresses could be accessed by changing the customer identification number sent in an API request.

Orders could be placed under any account.  Credit card expiry dates and the last four digits could be plucked out using a handy, insecure API.  Script-busting rate limiters were nowhere to be seen making it a cash cow for black hats, vandals and their bots. 

Even more surprising, is that Moonpig has left the door open for so long.  Price initially notified them in August 2013 and chased them in September 2014 when Moonpig promised to fix it by Christmas. Now in 2015, the flaw remained open immediately prior to the story’s publication on the Register this morning.  The question is, why the lag when it’s core to their business and equally there is expertise on the market to help them protect their business?


No comments:

Post a comment