Latest in Cybersecurity

Image credit:

Moonpig flaw leaves customer accounts wide open for 17 months (update)

Share
Tweet
Share
Save

Sponsored Links

Over the years we've seen our fair share of security breaches and loopholes, but rarely do they take the companies involved almost 17 months to patch them up. Moonpig, the online mail order greeting card service, is guilty of this particular faux-pas after an external developer noticed a severe vulnerability back in August 2013. Here's how it worked: Using the Moonpig API, it was possible to impersonate any customer by submitting their unique ID number. With a little bit of technical know-how, anyone could have exploited it to place orders or, more worryingly, retrieve personal information such as credit card details, addresses and past purchases. "Whoever architected this system needs to be waterboarded," said Paul Price, who first spotted the problem. After notifying Moonpig in 2013, the company promised to "get right on it," but, as of yesterday, nothing had changed. Price then shared the vulnerability online, which, according to The Register, finally forced Moonpig to take action and pull the exposed APIs. The company is yet to comment on the whole affair, but if you've been a Moonpig customer in the past, now might be a good time to change your password or remove your account details altogether.

Update: A spokesperson for Moonpig said: "We are aware of the claims made this morning regarding the security of customer data within our Apps. We can assure our customers that all password and payment information is and has always been safe. The security of your shopping experience at Moonpig is extremely important to us and we are investigating the detail behind today's report as a priority. As a precaution, our Apps will be unavailable for a time whilst we conduct these investigations and we will work to resume a normal service as soon as possible. The desktop and mobile websites are unaffected."

[Image Credit: Liz West, Flickr]

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
Tweet
Share
Save

Popular on Engadget

Ericsson will pay over $1 billion to settle US corruption charges

Ericsson will pay over $1 billion to settle US corruption charges

View
Apple's redesigned Mac Pro will be available to order December 10th

Apple's redesigned Mac Pro will be available to order December 10th

View
'Free Guy' trailer shows a video game NPC without chains

'Free Guy' trailer shows a video game NPC without chains

View
Porsche tests a four-motor powertrain for electric SUVs

Porsche tests a four-motor powertrain for electric SUVs

View
'The Boys' season 2 teaser hints at more blood-soaked mayhem

'The Boys' season 2 teaser hints at more blood-soaked mayhem

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr