Three Million Moonpig accounts exposed by simple API flawVulnerabilityAbout MoonpigTimeline

Vulnerability

A simple API flaw can mean that anybody can access Moonpig’s every account along with customer names, birth dates, and email and street addresses.  They can be accessed by changing the customer identification number sent in an API request.  Further anybody can place orders through the accounts accessed. And anybody can see or obtain last four digits of credit card numbers and expiry dates using insecure API.  These records can than be used to make fraudulent purchases online. Price also reports that despite of the knowledge of the flaw, Moonpig’s administrators have not enabled Rate Limiters to stop the brute-force attacks thus making it doubly vulnerable to cyber criminals. Price made his finding known in rather terse language,

About Moonpig

Moonpig.com is a business based in London and Guernsey which sells personalised greeting cards. Founded by Nick Jenkins, ‘Moonpig’ was his nickname at school, hence the name of the brand.  The website was launched in July 2000, and in 2007 the company was responsible for 90 percent of the online greeting card market in the United Kingdom, with nearly six million cards shipped. …Every API request is like this, there’s no authentication at all and you can pass in any customer ID to impersonate them. An attacker could easily place orders on other customers accounts, add/retrieve card information, view saved addresses, view orders and much more… …I hit my test users a few hundred times in quick succession and I was not rate limited. Given that customer IDs are sequential an attacker would find it very easy to build up a database of Moonpig customers along with their addresses and card details in a few hours – very scary indeed… In July 2011, Moonpig was bought by PhotoBox and it is operated by them.

Timeline

Moonpig was notified of the flaw in August 2013 by Price about the flaw and the timeline of the events is given below : After Price made the vulnerability public, Moonpig users took to social media to vent their ire on the admin but company did not respond to their complaints.

— Nick (@ntcoding) January 6, 2015   https://twitter.com/hdmoore/status/552247704764420096 However the company seems to have patched the vulnerable API’s at the time of writing this article.

— andy piper (pipes) (@andypiper) January 6, 2015