Three Million Moonpig accounts exposed by simple API flaw
The United Kingdom’s number one online greeting cards, mugs and gift articles selling portal has a significant flaw which if exploited by cyber criminals can expose personal records and credit card details for its three million plus customers. Ironically the flaw was brought to Moonpig’s notice almost 18 moths ago by developer Paul Price.
Vulnerability
A simple API flaw can mean that anybody can access Moonpig’s every account along with customer names, birth dates, and email and street addresses. They can be accessed by changing the customer identification number sent in an API request. Further anybody can place orders through the accounts accessed. And anybody can see or obtain last four digits of credit card numbers and expiry dates using insecure API. These records can than be used to make fraudulent purchases online.
Price also reports that despite of the knowledge of the flaw, Moonpig’s administrators have not enabled Rate Limiters to stop the brute-force attacks thus making it doubly vulnerable to cyber criminals.
Price made his finding known in rather terse language,
I’ve seen some half-arsed security measures in my time but this just takes the biscuit. Whoever architected this system needs to be shot waterboarded…
…Every API request is like this, there’s no authentication at all and you can pass in any customer ID to impersonate them. An attacker could easily place orders on other customers accounts, add/retrieve card information, view saved addresses, view orders and much more…
…I hit my test users a few hundred times in quick succession and I was not rate limited. Given that customer IDs are sequential an attacker would find it very easy to build up a database of Moonpig customers along with their addresses and card details in a few hours – very scary indeed…
About Moonpig
Moonpig.com is a business based in London and Guernsey which sells personalised greeting cards. Founded by Nick Jenkins, ‘Moonpig’ was his nickname at school, hence the name of the brand. The website was launched in July 2000, and in 2007 the company was responsible for 90 percent of the online greeting card market in the United Kingdom, with nearly six million cards shipped.
In July 2011, Moonpig was bought by PhotoBox and it is operated by them.
Timeline
Moonpig was notified of the flaw in August 2013 by Price about the flaw and the timeline of the events is given below :
- 18th Aug ’13 – (yes, 2013!) Initial contact made with vendor. After a few e-mails back and fourth their reasoning was legacy code and they’ll “get right on it”.
- 26th Sep ’14 – Follow up e-mail. Issue still not resolved. ETA “after Christmas
- 5th Jan ’15 – Vulnerability still exists with ample amount of time given to vendor to fix the issue.
After Price made the vulnerability public, Moonpig users took to social media to vent their ire on the admin but company did not respond to their complaints.
unbelievable – shocking security by moonpig https://t.co/aPc0Zjd5ST
— Nick (@ntcoding) January 6, 2015
https://twitter.com/hdmoore/status/552247704764420096
However the company seems to have patched the vulnerable API’s at the time of writing this article.
It's ok everyone! After 17 months the @moonpiguk API vulnerability is over because we're now blocked from getting anyone's address data!
— andy piper (pipes) (@andypiper) January 6, 2015
