Moonpig flaw leaves customer accounts wide open for 17 months (update)

Over the years we've seen our fair share of security breaches and loopholes, but rarely do they take the companies involved almost 17 months to patch them up. Moonpig, the online mail order greeting card service, is guilty of this particular faux-pas after an external developer noticed a severe vulnerability back in August 2013. Here's how it worked: Using the Moonpig API, it was possible to impersonate any customer by submitting their unique ID number. With a little bit of technical know-how, anyone could have exploited it to place orders or, more worryingly, retrieve personal information such as credit card details, addresses and past purchases. "Whoever architected this system needs to be waterboarded," said Paul Price, who first spotted the problem. After notifying Moonpig in 2013, the company promised to "get right on it," but, as of yesterday, nothing had changed. Price then shared the vulnerability online, which, according to The Register, finally forced Moonpig to take action and pull the exposed APIs. The company is yet to comment on the whole affair, but if you've been a Moonpig customer in the past, now might be a good time to change your password or remove your account details altogether.

Update: A spokesperson for Moonpig said: "We are aware of the claims made this morning regarding the security of customer data within our Apps. We can assure our customers that all password and payment information is and has always been safe. The security of your shopping experience at Moonpig is extremely important to us and we are investigating the detail behind today's report as a priority. As a precaution, our Apps will be unavailable for a time whilst we conduct these investigations and we will work to resume a normal service as soon as possible. The desktop and mobile websites are unaffected."

[Image Credit: Liz West, Flickr]