Greetings card website Moonpig has suspended its mobile apps following a claim that a security bug exposed personal details of customers.
Developer Paul Price posted an entry on his blog yesterday claiming that a flaw in the website's security settings meant that anyone could pose as another user, getting access to a portion of their credit card details and personal information as well as being able to make orders from their account.
Mr Price said he discovered the problem in August 2013 and told Moonpig then, but despite the company saying it would "get right on it", the glitch was still in place yesterday.
Moonpig today assured customers that “all password and payment information is and has always been safe”, but said it had made its apps unavailable while it conducted investigations. Mr Price wrote: “I’ve seen some half-a**ed security measures in my time but this just takes the biscuit. “Whoever architected this system needs to be shot, waterboarded.”
According to Mr Price, the vulnerability is found in the section of software that lets Moonpig’s mobile apps communicate with its servers, called an application programming interface (API). He claims that, rather than securely sending information protected by an individual’s username and password, the API sent every request protected by the same credentials, regardless of which user was signed in. He said those who knew of the loophole could pass in any customer ID to impersonate them, and an attacker could easily place orders on other customers’ accounts, add or retrieve card information, view saved addresses and orders “and much more”.
Moonpig said in a statement on its website: “You may have seen reports this morning about our apps and the security of customer details when shopping with Moonpig. “We can assure our customers that all password and payment information is and has always been safe. “The security of your shopping experience at Moonpig is extremely important to us and we are investigating the detail behind today’s report as a priority.
“As a precaution, our apps will be unavailable for a time whilst we conduct these investigations and we will work to resume a normal service as soon as possible. “The desktop and mobile websites are unaffected.”
Reuters