Moonpig app security flaw leaves millions of customer details exposed for 17 months

A major security flaw has been found in the Android app of Moonpig (a personalised greeting cards company) revealing the account details of millions of users.

Discovered by app developer Paul Price, the issue was first reported to Moonpig in August 2013, but after twice saying the problem would be fixed, it remains a threat, forcing Price to disclose the vulnerability in public.

The failure means every account - some three million, according to Moonpig - and the name, date of birth, email and street address associated with them can be discovered by hackers, along with the expiry dates and last four digits of every user's credit card. It also means that orders can be placed under any account.

Half-arsed security measures

Price said in a blog post: "I've seen some half-arsed security measures in my time but this just takes the biscuit. Whoever architected this system needs to be waterboarded...there's no authentication at all and you can pass in any customer ID to impersonate them.

"An attacker could easily place orders on other customers' accounts, add/retrieve card information, view saved addresses, view orders and much more."

Moonpig quickly became a Twitter trending topic in London after the blog post was published on 5 January, but as security experts were telling users to immediately delete their accounts, Moonpig was tweeting about the return of ITV drama Broadchurch. The company has at least shut down access to the offending application API, but is yet to respond publicly.

Moonpig's system was also found to not be rate limited, meaning a hacker could easily search the database hundreds of thousands of times in quick succession, and given user IDs are sequential, gathering up data on every customer wouldn't be difficult. Price reckons this could be done "in a few hours - very scary indeed."

Price contacted Moonpig on 18 August 2013 and "after a few emails back and forth their reasoning was legacy code and they'll 'get right on it.'"

But by September 2014, 13 months later, Price sent a follow up email and was told the flaw would be fixed "after Christmas."

Price said on his blog post: "Initially I was going to wait until they fixed their live endpoints but given the timeframes I've decided to publish this post to force Moonpig to fix the issue and protect the privacy of their customers.

"17 months is more than enough time to fix an issue like this. It appears customer privacy is not a priority to Moonpig."

UPDATE: Moonpig has released the following statement:

"We are aware of the claims made this morning regarding the security of customer data within our Apps. We can assure our customers that all password and payment information is and has always been safe. The security of your shopping experience at Moonpig is extremely important to us and we are investigating the detail behind today's report as a priority. As a precaution, our Apps will be unavailable for a time whilst we conduct these investigations and we will work to resume a normal service as soon as possible. The desktop and mobile websites are unaffected."