Table Of Contents
Three Million Moonpig accounts exposed by simple API flaw
The United Kingdom’s number one online greeting cards, mugs and gift articles selling portal has a significant flaw which if exploited by cyber criminals can expose personal records and credit card details for its three million plus customers. ย Ironically the flaw was brought to Moonpig’s notice almost 18 moths ago by developer Paul Price.
Vulnerability
A simple API flaw can mean that anybody can access Moonpig’s every account along with customer names, birth dates, and email and street addresses. ย They can be accessed by changing the customer identification number sent in an API request. ย Further anybody can place orders through the accounts accessed. And anybody can see or obtain last four digits of credit card numbers and expiry dates using insecure API. ย These records can than be used to make fraudulent purchases online.
Price also reports that despite of the knowledge of the flaw, Moonpig’s administrators have not enabled Rate Limiters to stop the brute-force attacks thus making it doubly vulnerable to cyber criminals.
Price made his finding known in rather terse language,
Iโve seen some half-arsed security measures in my time but this just takes the biscuit. Whoever architected this system needs to be shot waterboardedโฆ
โฆEvery API request is like this, thereโs no authentication at all and you can pass in any customer ID to impersonate them. An attacker could easily place orders on other customers accounts, add/retrieve card information, view saved addresses, view orders and much moreโฆ
โฆI hit my test users a few hundred times in quick succession and I was not rate limited. Given that customer IDs are sequential an attacker would find it very easy to build up a database of Moonpig customers along with their addresses and card details in a few hours โ very scary indeedโฆ
About Moonpig
Moonpig.com is a business based in London and Guernsey which sells personalised greeting cards. Founded by Nick Jenkins, ‘Moonpig’ was his nickname at school, hence the name of the brand.ย ย The website was launched in July 2000, and in 2007 the company was responsible for 90 percent of the online greeting card market in the United Kingdom, with nearly six million cards shipped.
In July 2011, Moonpig was bought by PhotoBox and it is operated by them.
Timeline
Moonpig was notified of the flaw in August 2013 by Price about the flaw and the timeline of the events is given below :
- 18th Aug โ13 โ (yes, 2013!) Initial contact made with vendor. After a few e-mails back and fourth their reasoning was legacy code and theyโll โget right on itโ.
- 26th Sep โ14 โ Follow up e-mail. Issue still not resolved. ETA โafter Christmas
- 5th Jan โ15 โ Vulnerability still exists with ample amount of time given to vendor to fix the issue.
After Price made the vulnerability public, Moonpig users took to social media to vent their ire on the admin but company did not respond to their complaints.
unbelievable – shocking security by moonpig https://t.co/aPc0Zjd5ST
— Nick (@ntcoding) January 6, 2015
https://twitter.com/hdmoore/status/552247704764420096
However the company seems to have patched the vulnerable API’s at the time of writing this article.
It's ok everyone! After 17 months the @moonpiguk API vulnerability is over because we're now blocked from getting anyone's address data!
— andy piper (pipes) (@andypiper) January 6, 2015