A security flaw on the website of online gift company Moonpig has left millions of customers at risk of having their personal details stolen, despite the firm being made aware of the problem over a year ago.
Security researcher Paul Price uncovered the flaw in August 2013, and informed the company. However, come 2015, nothing had been done and he has now made the flaw public.
Price explained on his blog that the problem relates to an API on the Android app for Moonpig that had no built-in authentication protocols and could easily be duped into returning information including customer email address and bank card details.
Price said that the method he used to access this information was incredibly basic and that the app did not even contain basic security measures such as ‘rate limiting’ to stop someone building up a huge list of people’s details.
“Given that customer IDs are sequential an attacker would find it very easy to build up a database of Moonpig customers along with their addresses and card details in a few hours - very scary indeed,” he said.
“I've seen some half-arsed security measures in my time but this just takes the biscuit.”
Moonpig said in a statement sent to V3 that it was aware of the problem and is working to fix it as quickly as possible.
“We can assure our customers that all password and payment information is and has always been safe," the company said.
"As a precaution, our apps will be unavailable for a time whilst we conduct these investigations, and we will work to resume a normal service as soon as possible. The desktop and mobile websites are unaffected.”
Price said that he made the vulnerability public in order to force Moonpig into action.
"Initially I was going to wait until they fixed their live endpoints but, given the timeframes, I've decided to publish this post to force Moonpig to fix the issue and protect the privacy of their customers (who knows who else knows about this?)," he said.
"Seventeen months is more than enough time to fix an issue like this. It appears customer privacy is not a priority to Moonpig."
Concerns about responsible disclosure surfaced again this week after Google published a flaw in Windows 8.1 that Microsoft had failed to fix within a 90-day period.
Some criticised Google for its action, claiming that 90 days was not enough time for Microsoft to fully fix the problem. However, others said it is important that companies react promptly when made aware of security flaws.
The Moonpig incident will no doubt be investigated by the Information Commissioner's Office, which may take a dim view. The watchdog fined an abortion charity £200,000 last year after a hacker was able to infiltrate its systems.
But doesn't mention Nvidia by name...
PAC slams lackadaisical NHS security as IT security measures are ignored
Visibility, automation and accountability are essential
Developed to enhance real-time biometrics for US Army's night-time operations