Moonpig pulls API after ignoring vulnerability reports

API pulled hours after vulnerability was made public

medical exam on a piggy bank
Credit: 401(K) 2013

Score one for disclosure. After being publicly flamed for taking a poor stance on security, Moonpig, a popular UK retailer for personalized greeting cards, has taken down their API, which was so badly implemented that it could have exposed the account details of 3.6 million customers.

The company hasn't issued a statement, but they were told about the flaws by Paul Price in 2013. Price, a developer by trade, sat on his findings, hoping to get the company to fix their code, but posted the details publicly after essentially being ignored.

One year after he first disclosed the problems, to which the company blamed legacy code, Price emailed to check on the status of a fix (as the API used by Moonpig was still stuck with the same flaws). The company promised a resolution after Christmas, but never delivered. Price disclosed his findings on Monday.

"Initially I was going to wait until they fixed their live endpoints but given the timeframes I've decided to publish this post to force Moonpig to fix the issue and protect the privacy of their customers (who knows who else knows about this!). ~17 months is more than enough time to fix an issue like this. It appears customer privacy is not a priority to Moonpig," Price wrote in his disclosure.

Around the time Price's findings were circulating online, the social media team for Moonpig were talking about relaxing with a cup of tea. The broken API had the ability to leverage OAuth 2.0, which would have fixed the issues, but it was never implemented.

The company has made no comment on the vulnerability, or offered an explanation as to why account information, such as names, addresses, limited credit card details, and order data, was so poorly defended.

Hours after Price's findings were published Moonpig, or perhaps the parent company PhotoBox, pulled the API offline.

So again, score one for disclosure.

Price tried to do the right thing, but the company ignored the issue fore 17 months, forcing his hand. In this case, full disclosure (my personal preference) is exactly what was needed.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.