Moonpig under Fire for Slow Response to Security Flaw

Moonpig, the online greeting card firm, has finally suspended its apps.

The company has recently come under fire from security experts and customers for taking so long to respond to a security flaw.

Developer Paul Price discovered serious security flaws in Moonpig's Android mobile app that could enable hackers to access personal details of customers in August 2013.

Paul Price immediately alerted Moonpig and then followed up in September 2014 when he was told that the issue would be resolved "before Christmas."

When Price realised that no action had been taken, he decided to go public with the information in a blog post, prompting the company to suspend its apps and launch an investigation.

In his blog post, Price said: "I've seen some half-arsed security measures in my time but this just takes the biscuit. Whoever architected this system needs to be waterboarded."

In a statement, Moonpig said: "We can assure our customers that all password and payment information is and has always been safe."

Price said that with a bit of investigation he would be able to uncover the customers IDs, names, date of births, email and home addresses and credit card details of other Moonpig customers.

He added: "An attacker could easily place orders on other customers' accounts, add/retrieve card information, view saved addresses, view orders and much more."

Price believes he has acted responsibly by first going to Moonpig with his discovery.

He said: "Initially I was going to wait until they fixed their live endpoints but, given the timeframes, I've decided to publish this post to force Moonpig to fix the issue and protect the privacy of their customers (who knows who else knows about this!).

"17 months is more than enough time to fix an issue like this. It appears customer privacy is not a priority to Moonpig."

print this article

Return to internet news headlines
View Internet News Archive

Share with: