Share:
Moonpig, the service that lets you send personalised greetings cards, has shut down its mobile apps after uncovering a security flaw.
The vulnerability means that every single account – that amounts to around 3 million – has been at risk of exposure to hackers.
The flaw exposed all information like users’ full names, dates of birth, e-mail addresses, home addresses, as well as expiry dates and the last four digits of credit and debit cards.
Paul Price, an app developer, was behind the discovery, and wrote in a blog post: “I’ve seen some half-arsed security measures in my time but this just takes the biscuit.”
“Whoever architected this system needs to be waterboarded,” continued Price. “There’s no authentication at all and you can pass in any customer ID to impersonate them.”
He added: “An attacker could easily place orders on other customers’ accounts, add/retrieve card information, view saved addresses, view orders and much more.”
Related: Sony CEO Kazuo Hirai calls Sony Pictures hack a 'vicious cyber attack'
Price alleges he warned Moonpig about the exploit initially back on August 18 2013, but by September 2014 the vulnerability still hadn’t been fixed.
He then contacted Moonpig again, only to be told that the flaw would be patched ‘after Christmas’.
“17 months is more than enough time to fix an issue like this,” said price. “It appears customer privacy is not a priority to Moonpig.”
It’s not yet clear whether Moonpig has fixed the exploit now, but we’ve reached out for comment and we’ll let you know as and when they reply.