Moonpig Android app flaw puts three million accounts at risk

Developer claims issue was left unfixed for 17 months

Online greetings card retailer Moonpig has become the first big name of 2015 to be embarrassed by for poor software security after a developer lost patience with the slow response to a serious Android app flaw he claims to have reported to them 18 months ago.

According to developer Paul Price, a cock-up on the development API's authentication design (i.e. there wasn't any) allowed him to access a customer's registered details by inserting a nine-digit number to spoof the ID used in the request header. This is equivalent to an open sesame on any and every account, including partial credit card numbers if those have been registered.

"An attacker could easily place orders on other customers accounts, add/retrieve card information, view saved addresses, view orders and much more."

Although only directly affecting the Android app, in principle all of the firm's several million customer would be affected because the issue allows access to the back-end database.

This is bad enough but further lax design allowed Price to work out how to research the customer database using simple technique.

"I hit my test users a few hundred times in quick succession and I was not rate limited. Given that customer IDs are sequential an attacker would find it very easy to build up a database of Moonpig customers along with their addresses and card details in a few hours - very scary indeed."

Although exposed customer identities is not a new issue on online websites, the firm's alleged poor response is perhaps as big an issue.

The developer said he'd first contacted Moonpig about the issue in August 2013, following that up a month later, at which time he was told that the expected fix would arrive by early 2014.

A year on from that communication and no fix in sight and he seems to run out of patience. "Seventeen months is more than enough time to fix an issue like this. It appears customer privacy is not a priority to Moonpig," he wrote.

Moonpig batted away the controversy, claiming that "We can assure our customers that all password and payment information is and has always been safe," before admitting that the Android app would be unavailable for a while it undertakes investigations.

"We will work to resume a normal service as soon as possible. The desktop and mobile websites are unaffected," read a statement on the firm's website.

As of 6 January, no emails appear to have been sent to inform customers of the issue, something noticed by security expert, Chris Boyd of Malwarebytes.

"I think most would agree that Moonpig has been slow to react here, too much time has elapsed between notification and any attempt at a fix," said Boyd.

"At the very least, one would expect the company to notify customers by email to let them know there's an issue, providing steps they can take to try and avoid falling foul of anybody using this for personal gain. Issues such as these can prove very costly to companies, and now the Information Commissioner's Office is looking at the details the fallout could be severe."

Founded during the dot-com boom and since sold on to photo printing firm PhotoBox, Moonpig is believed to have around three million registered accounts. Moonpig isn't the first major UK site to be shown to be insecure in recent times. In April 2014, Mumsnet was found to be at risk from the Heartbleed bug while in a particularly outrageous incident in August Irish betting site Paddy Power waited four years to inform its users of a breach dating back to 2010.

Join the CSO newsletter!

Error: Please check your email address.

Tags Moonpigsecurity

More about indeedMalwarebytes

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts