Your Personal Details May Get Exposed If You’re A Moonpig Customer
Greeting cards have been used quite a lot in the past. Now their importance is fading but still a lot of people use greeting cards. If you are residing in the UK and use greeting cards, you would know Moonpig. Moonpig is a well known company which sells personalized greeting cards.
Paul Price, a developer, discovered a serious vulnerability in Moonpig’s website and reported about it almost a year ago. This was not made public as Paul wanted the vulnerability to be fixed and not exploited. But Moonpig’s response has been quite dull and lazy. According to Paul Price, the vulnerability has not been fixed yet even after one and a half year.
If we look deeper inside Paul’s claims, Moonpig’s API calls don’t require any type of authentication and you can pass in any customer ID to impersonate them. An attacker could easily place orders on other customers accounts, add/retrieve card information, view saved addresses, view orders and much more.
After Paul went public, Moonpig seems to have taken their API service offline and is not accessible at the moment.
What should I do?
If you are a Moonpig customer, you should probably change all the details of your Moonpig account. If you’ve been compromised, there’s nothing much you can do. Just keep a close eye on all your transactions of your credit card if you’ve used on on Moonpig.
If you are a programmer/developer and want more details about how this vulnerability works, you may go to welivesecurity and see some of the API usage examples they’ve shown.