Nearly Twenty Months Vulnerable

What’s latest on the list of ever growing computing security concerns? Well, nothing too kind, that’s for certain. Early last month a security flaw involving the United Kingdom’s online card carrier, Moonpig, was leaked on the internet. (Moonpig has three million customers.)

While it is standard for security issues, vulnerabilities, and risks to be revealed, something in particular makes the Moonpig’s situation a peculiar one. If not peculiar, then definitely vexing to say the last. According to sources, Moonpig’s methods of authentication leave much to be desired.

Since August 2013 — yes, that is correct, the year 2013, Moonpig has supposedly known about the insecure protection of user information on their website. This still unresolved monstrosity pretty much translates into the idea that the standard user has the ability to pretend to be someone else. Under the pretense as this other user, the system then gives the user access to account details, from home addresses and names to credit card tidbits.

Screen Shot 2015-02-22 at 9.58.09 PM

(Screenshot of Moonpig statement found on Paul Price’s blog)

This credit card information discloses the card’s last four digits, expiration, and card holder. Equally concerning is that Price reveals many companies create user identities consisting of user address, birthday, and final four credit card digits.

Under a secure system, Moonpig’s app should run an authentication process to crosscheck the request is being made by the account’s holder– good wonders, customer protection! Essentially, spoofing another user shouldn’t permit them to still gain this data access.

In a true exposition of catering to the customer, Moonpig has no such authentication. Of course, the fact this has been a fatal flaw since August 2013 becomes icing on the cake. (A definite lie of a cake, if you follow.) In any case, there have been no news updates from Moonpig since January. Granted, the upwards of a year and three quarters already creates quite the statement.

The original discoverer of Moonpig’s blatant lack of concern comes from security researcher Paul Price’s blog. Eventually he decided to go public the week of January 5. Although its API is currently down, who’s to say what has and hasn’t happened to customer information.

– Misha (mxb4099)


Paul’s blog, for more technical detail:

Read about the handy dandy “GetCreditCardDetails” method included.

Original Article Found:

Further Reading:

“Rather than securely sending information protected by an individual’s username and password, the API sent every request protected by the same credentials…”


Interesting side note; while I wasn’t sure a whole article was fit to be dedicated to the ‘security’ flaw of the newly released Rasberry Pi 2, it’s worth noting it has the innocent bug of crashing when its photo is taken.