Moonpig, the popular greetings card and gifts website, has had the accounts of three million users compromised after an attack on the company’s website by hacking group “p0wned”.
The attack, according to reports, exploited a simple API flaw. The company has closed its mobile apps in response.
Indeed, as details of the security flaw that was exploited emerged, the company was lambasted for its lackadaisical attitude to its users security – and the banking and other personal details that may have been exposed. One security specialist, Paul Price, wrote: “I’ve seen some half-arsed security messures in my time but this just takes the biscuit. Whoever architected this system needs to be shot waterboarded.”
Following a detailed technical explanation, Price continued: “There’s no authentication at all and you can pass in any customer ID to impersonate them. An attacker could easily place orders on other customers accounts, add/retrieve card information, view saved addresses, view orders and much more.
“At this point one would usually decompile the APK [Android application package] and see if there are any hidden API methods but on this occasion there’s no need, Moonpig have made it easy for us. If you hit the API endpoint with an unknown method you’ll get a custom 404 with a link to a help page listing every method available in their API with helpful descriptions. The help page also exposes their internal network DNS set-up – but that’s another story.”
The security flaw is not new, claims Price.
He writes that he has attempted to contact them to highlight the security shortcoming since August 2013. “Initially I was going to wait until they fixed their live endpoints, but given the time-frames I’ve decided to publish this post to force Moonpig to fix the issue and protect the privacy of their customers (who knows who else knows about this!). Seventeen months is more than enough time to fix an issue like this. It appears customer privacy is not a priority to Moonpig,” writes Price.
The company claims that customer user names and passwords, and credit card details were not exposed by the security flaw, although users may be at risk of identity theft.