Online greeting card company Moonpig has taken an API offline which bypassed all authentication security and allow an attacker to place orders on other customer accounts.
According to research by Paul Price, the flaw allows an attacker to easily place orders on other customers accounts, add/retrieve card information, view saved addresses, view orders and much more. He also said that every API request is like this, and if you hit the API endpoint with an unknown method, you get a custom 404 with a link to a help page listing every method available in their API with helpful descriptions. it just takes a customer ID number to be sent in an API request to exploit the flaw, as no authentication is required.
“The help page also exposes their internal network DNS setup – but that’s another story,” Price said. “I hit my test users a few hundred times in quick succession and I was not rate limited. Given that customer IDs are sequential, an attacker would find it very easy to build up a database of Moonpig customers along with their addresses and card details in a few hours.”
Price also said that he originally reported the issue in August 2013 where “after a few emails back and fourth their reasoning was legacy code and they’ll ‘get right on it’.” After a follow-up email was sent in September 2014, Moonpig told Price that the issue would be resolved “after Christmas”. Yet on 5th January, the vulnerability still exists.
He said: “Initially I was going to wait until they fixed their live endpoints, but given the timeframes I’ve decided to publish this post to force Moonpig to fix the issue and protect the privacy of their customers. 17 months is more than enough time to fix an issue like this.”
A comment request has been sent to Moonpig. The Information Commissioner’s Office said that it is aware of the incident and is looking into the details. A statement tweeted by Moonpig, said: “We are aware of claims re customer data and can confirm that all password and payment information is and has always been safe.”
In a statement sent to IT Security Guru, a spokesperson for Moonpig said: “We are aware of the claims made this morning regarding the security of customer data within our apps. We can assure our customers that all password and payment information is and has always been safe. The security of your shopping experience at Moonpig is extremely important to us and we are investigating the detail behind today’s report as a priority.
“As a precaution, our apps will be unavailable for a time whilst we conduct these investigations and we will work to resume a normal service as soon as possible. The desktop and mobile websites are unaffected.”
Asked why he felt that the flaw was left unfixed for so long, security researcher Troy Hunt said that it was “pure negligence”, and that a flaw of this nature should be a very high priority and weeks, let alone 17 months, is totally unacceptable.
He said: “This is not a challenging flaw in any way, authentication patterns via API are very well established. It’s highly likely this flaw was built by Moonpig (or by those they outsourced to), as any mainstream frameworks would most likely have had such an obvious flaw identified earlier.
“This is a perfect example
of just how fundamental many of the security flaws are in popular software, and it’s entirely down to the competency of the developers and the lack of security oversight that allows such flawed software to launch.”