Moonpig vulnerability exposes customers’ personal information | SC Media
Breach

Moonpig vulnerability exposes customers’ personal information

January 7, 2015

Moonpig, a customizable greeting card company, had 3 million customers' personal information exposed after a developer detailed a security vulnerability online.

Paul Price explained on his blog the flaw in the application programming interface (API) could allow attackers to view and impersonate users' customer IDs to place orders, add and retrieve card information, and view saved addresses and orders, among other options.

Price first told Moonpig about the vulnerability in August 2013, but after nearly 18 months, and repeated attempts at contact, he went public with his findings.

“Initially I was going to wait until they fixed their live endpoints but given the timeframes I've decided to publish this post to force Moonpig to fix the issue and protect the privacy of their customers,” Price wrote.

The greeting card company suspended access to its mobile apps following news of the vulnerability.

prestitial ad