Online greetings card retailer Moonpig has become the first big name of 2015 to be embarrassed by for poor software security after a developer lost patience with the slow response to a serious Android app flaw he claims to have reported to them 18 months ago.
According to developer Paul Price, a cock-up on the development API’s authentication design (i.e. there wasn’t any) allowed him to access a customer’s registered details by inserting a nine-digit number to spoof the ID used in the request header. This is equivalent to an open sesame on any and every account, including partial credit card numbers if those have been registered.
“An attacker could easily place orders on other customers accounts, add/retrieve card information, view saved addresses, view orders and much more.”
Although only directly affecting the Android app, in principle all of the firm’s several million customer would be affected because the issue allows access to the back-end database.
This is bad enough but further lax design allowed Price to work out how to research the customer database using simple technique.
“I hit my test users a few hundred times in quick succession and I was not rate limited. Given that customer IDs are sequential an attacker would find it very easy to build up a database of Moonpig customers along with their addresses and card details in a few hours - very scary indeed.”
Although exposed customer identities is not a new issue on online websites, the firm’s alleged poor response is perhaps as big an issue.
The developer said he’d first contacted Moonpig about the issue in August 2013, following that up a month later, at which time he was told that the expected fix would arrive by early 2014.
A year on from that communication and no fix in sight and he seems to run out of patience. “Seventeen months is more than enough time to fix an issue like this. It appears customer privacy is not a priority to Moonpig,” he wrote.
Moonpig batted away the controversy, claiming that “We can assure our customers that all password and payment information is and has always been safe,” before admitting that the Android app would be unavailable for a while it undertakes investigations.
“We will work to resume a normal service as soon as possible. The desktop and mobile websites are unaffected,” read a statement on the firm’s website.
As of 6 January, no emails appear to have been sent to inform customers of the issue, something noticed by security expert, Chris Boyd of Malwarebytes.
"I think most would agree that Moonpig has been slow to react here, too much time has elapsed between notification and any attempt at a fix,” said Boyd.
“At the very least, one would expect the company to notify customers by email to let them know there's an issue, providing steps they can take to try and avoid falling foul of anybody using this for personal gain. Issues such as these can prove very costly to companies, and now the Information Commissioner’s Office is looking at the details the fallout could be severe."
Founded during the dot-com boom and since sold on to photo printing firm PhotoBox, Moonpig is believed to have around three million registered accounts. Moonpig isn't the first major UK site to be shown to be insecure in recent times. In April 2014, Mumsnet was found to be at risk from the Heartbleed bug while in a particularly outrageous incident in August Irish betting site Paddy Power waited four years to inform its users of a breach dating back to 2010.