Moonpig’s brand reputation and business took a hefty hit
today as a significant flaw is revealed that exposes some three million
customers’ personal records and partial credit card details. What’s more,
as the news hits the web today it seems Moonpig knew of this almost 18 months
ago. So, what happened?
The failure, initially discovered and privately reported by
developer, Paul Price, meant every account and the names, birth dates and email
and street addresses could be accessed by changing the customer identification
number sent in an API request.
Orders could be placed under any account. Credit card
expiry dates and the last four digits could be plucked out using a handy,
insecure API. Script-busting rate limiters were nowhere to be seen making
it a cash cow for black hats, vandals and their bots.
Even more surprising, is that Moonpig has left the door open
for so long. Price initially notified them in August 2013 and chased them
in September 2014 when Moonpig promised to fix it by Christmas. Now in 2015,
the flaw remained open immediately prior to the story’s publication on the
Register this morning. The question is, why the lag when it’s core to
their business and equally there is expertise on the market to help them
protect their business?
No comments:
Post a Comment