Moonpig security flaw could have exposed personal data of millions of users for over a year

Paul Price says he made company aware of the problem in August 2013, but the company didn't fix it

Andrew Griffin
Tuesday 06 January 2015 06:33 EST
Comments
The Moonpig logo
The Moonpig logo (Moonpig)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

Users of Moonpig had their credit card details and personal details exposed to anyone for more than a year, a security expert has claimed.

A flaw in the website’s security settings has meant that anyone could pose as another user of the website, getting access to their credit card details and personal information, as well as being able to make orders from their account, claims Paul Price.

The problem was discovered in August 2013, and the expert who did so said that he told Moonpig about the problem then. Though Paul Price, who discovered the problem, said that Moonpig told him they would “get right on it”, he said that the flaw was still there until this morning.

Moonpig said this morning that it was aware of the claims and denied that customers' information was at risk.

"We can assure our customers that all password and payment information is and has always been safe," a Moonpig spokesperson said. "The security of your shopping experience at Moonpig is extremely important to us and we are investigating the detail behind today’s report as a priority."

The site’s API, an important part of the way that the website works, allows those who knew about the loophole to pretend to be another user. All that is required is to put a request in to Moonpig’s website with a customers’ ID number — the website does not verify those requests.

Paul Price wrote: “I've seen some half-arsed security messures in my time but this just takes the biscuit.

“Whoever architected this system needs to be waterboarded.”

Price said that he had made the company aware of the problem in August 2013. He said that a follow-up email in September told him that the problem would be resolved “after Christmas”.

Price said that given the lack of response by Moonpig, he chose to make the flaw public to “force Moonpig to fix the issue and protect the privacy of their customers”.

Moonpig has taken the app offline.

"As a precaution, our Apps will be unavailable for a time whilst we conduct these investigations and we will work to resume a normal service as soon as possible," the company said.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in