Moonpig
Latest
Moonpig flaw leaves customer accounts wide open for 17 months (update)
Over the years we've seen our fair share of security breaches and loopholes, but rarely do they take the companies involved almost 17 months to patch them up. Moonpig, the online mail order greeting card service, is guilty of this particular faux-pas after an external developer noticed a severe vulnerability back in August 2013. Here's how it worked: Using the Moonpig API, it was possible to impersonate any customer by submitting their unique ID number. With a little bit of technical know-how, anyone could have exploited it to place orders or, more worryingly, retrieve personal information such as credit card details, addresses and past purchases. "Whoever architected this system needs to be waterboarded," said Paul Price, who first spotted the problem. After notifying Moonpig in 2013, the company promised to "get right on it," but, as of yesterday, nothing had changed. Price then shared the vulnerability online, which, according to The Register, finally forced Moonpig to take action and pull the exposed APIs. The company is yet to comment on the whole affair, but if you've been a Moonpig customer in the past, now might be a good time to change your password or remove your account details altogether.
