Attention Moonpig customers – you may want to change your account details, now-ish. Moonpig is known for personalised greeting cards, but the only greeting it’s giving customers right now comes in the form of a security vulnerability. What’s worse is that the company knew about it seventeen months ago and did nothing about it.
Moonpig is a popular (over 3m users ‘popular’) online personalised card company, with an frustratingly catchy ad jingle. Seventeen months ago security researcher Paul Price discovered a vulnerability and – following responsible disclosure (i.e. if you discover a vulnerability you give a company an agreed period of time to patch it) – has been asking Moonpig to fix it, but as it wasn’t resolved he went public yesterday.
The problem is API authentication (or lack thereof), meaning that every Moonpig account and the names, birth dates, and email and street addresses related to it could be accessed by changing the customer identification number sent in an API request. What this means is that orders could be placed under any account, and credit card expiry dates and last four digits on the card could also be nicked using the insecure API.
Some Twitterers are advising completely closing your account, although this can’t be done without calling the company directly; others saying they won’t use the site again. Because of the wait, the best thing right now would probably be to change your personal details on your account. There are also some generally great Twitter responses, like:
“What do you think of my design for a “sorry about your vulnerability” card ? #moonpig”, above a picture of an ostrich with its head in the sand.
The company is also currently advertising for a security officer (which has now been taken down), following which this great tweet was born:
“JOB OPENING: Security Expert, London. DESIRABLE: C#, iOS, Android. ESSENTIAL: Capable of time travel. APPLY: firstname.lastname@example.org”.
The API was still unauthenticated hours after Price’s public disclosure, although rumours in the Twitterstorm say they’ve just disabled the API this morning. However, the plot thickens as Moonpig responded on Twitter around 11am:
“We are aware of claims re customer data and can confirm that all password and payment information is safe and has always been safe”.
Responses remain sceptical, some showing outright disbelief (one response was, “@MoonpigUK Shhh, shhh you’re making it worse”) and some pointing out that as addresses and other private information is vulnerable, they still can’t claim ‘safety’.
At the end of the day, Moonpig may have made a mistake, but the real problem is that they a) didn’t fix it and b) didn’t tell anyone about it. Responsible disclosure is important as it encourages companies to take action straight away and protect our details – hopefully other companies will learn from the situation. All that we can do as consumers is to keep a beady eye on current security news and respond accordingly and quickly, especially when companies themselves fail to.
For more information on how we can keep your solution safe, take a look at our website or give us a call on 0208 045 4945.