Navigation

Moonpig app pulled after expert exposes 'half-arsed' security measures: 6 January 2015 - 12:44pm | posted by John McCarthy

Jan 08, 2015

Moonpig has ceased transactions through its mobile apps after a concerned cyber-security expert exposed a site vulnerability which endangered the financial details of its 3.6 million customers

The website, which lets customers purchase specially customised greetings cards, pulled its iOS and Android apps after security expert Paul Price published details of the site’s vulnerability after his warnings to Moonpig allegedly fell on deaf ears.

As a result of the site’s poor security measures, Moonpig was wide open to attacks designed to capture customer names, addresses, email addresses and card details, according to Price.

He claimed to have informed the company of the fault as early as 18 August 2013. Yet one and a half years later the flaw was still unaddressed despite staff assuring him it would be corrected “before Christmas” 2014.

“I've seen some half-arsed security measures in my time but this just takes the biscuit. Whoever architected this system needs to be shot or waterboarded.

“Given that customer IDs are sequential an attacker would find it very easy to build up a database of Moonpig customers along with their addresses and card details in a few hours - very scary indeed,” he said.

Price concluded: “An attacker could easily place orders on other customers’ accounts, add/retrieve card information, view saved addresses, view orders and much more.”

A Moonpig spokesperson said: “Moonpig has taken the app offline. As a precaution, our apps will be unavailable for a time whilst we conduct these investigations and we will work to resume a normal service as soon as possible.”

PREVIOUS POSTS
Dec 11.14 | New payment-card-security-standard-wont-stop-data-breaches by Howard Solomon @itworldca

read more

Dec 09.14 | Visa Enhanced PCI Compliance Push Slated For Jan. 1 Start By Kevin Woodward

read more

Oct 30.14 | Global security breaches up 48 percent for 2014 Friday 24 October 2014 | 02:44 PM CET

read more

Sep 22.14 | Home Depot Rushes to Deploy EMV Cards in Wake of Massive Data Theft By Wayne Rash - Eweek

read more

Sep 09.14 | Home Depot Confirms Breach By Jaikumar Vijayan Computerworld | Sep 8, 2014 3:12 PM PT

Home Depot Confirms Breach! read more

Aug 25.14 | UPS Hit by Data Breach Company Doesn't Know How Many Customers Were Affected, Only the Number of Transactions. Wall Street Journal By Laura Stevens

read more

May 05.14 | Target CEO Departs in Wake of Data Breach Source: Brian Prince Contributing Writer, Dark Reading

read more

Jun 10.13 | Canada Eavesdropping on Phone, Internet Records Too: Source: Globe and Mail

read more

Jan 18.13 | Java Security Warnings: Cut Through The Confusion by Mathew J. Schwartz

read more

ARCHIVE