Moonpig, a U.K.-based company that sells personalized greeting cards, mugs, t-shirts and other novelties, has been taken to the woodshed for poor security practices by a researcher who claims it’s simple to pilfer user and payment card data through a wonky mobile app API.
The company this morning told Threatpost that its apps will be unavailable while it investigates the issue.
“We are aware of the claims made this morning regarding the security of customer data within our Apps,” a Moonpig representative said. “We can assure our customers that all password and payment information is and has always been safe. The security of your shopping experience at Moonpig is extremely important to us and we are investigating the detail behind today’s report as a priority.”
That may be so, but researcher Paul Price, who yesterday disclosed the gaping holes at Moonpig.com, said he reported the issue to the company on Aug. 18, 2013, 17 months ago.
“After a few emails back and forth, their reasoning was legacy code and they’ll ‘get right on it,'” Price wrote in his disclosure. Subsequent email conversations with Moonpig in September revealed the issue remained unresolved, but would be “before Christmas,” Price said. Yesterday, he decided Moonpig had enough opportunity to resolve the issue.
“Initially I was going to wait until they fixed their live endpoints but given the timeframes I’ve decided to publish this post to force Moonpig to fix the issue and protect the privacy of their customers (who knows who else knows about this!),” Price wrote. “17 months is more than enough time to fix an issue like this. It appears customer privacy is not a priority to Moonpig.”
Price’s work revolves around Moonpig’s Android app and requests made to an API. Price cited a number of glaring issues around a lack of authentication and the ability to manipulate a customer ID returned via the URL parameter that could allow an attacker to theoretically learn personal and payment information for every one of Moonpig’s three million customers.
“I hit my test users a few hundred times in quick succession and I was not rate limited,” Price said. “Given that customer IDs are sequential an attacker would find it very easy to build up a database of Moonpig customers along with their addresses and card details in a few hours – very scary indeed.”
Given this ability to impersonate users via the sequential customer IDs, Price said an attacker could retrieve profile and card information, place and view orders and more. He also noted an API method called GetCreditCardDetails which he used with a test customer ID he created that returned the last four digits of the card number, expiration date and the customer’s name.
Price also experimented with trying to find hidden API methods by sending an unknown method. What he got in return was a custom 404 with a link to a help page listing all of Moonpig’s available methods and descriptions of each.
“The help page also exposes their internal network DNS setup, but that’s another story,” Price said.
He did note that the API supports OAuth 2.0 authorization that would close the gap.
Moonpig did not provide a timeline for getting its apps online, and said that its desktop and mobile sites were unaffected.