API pulled hours after vulnerability was made public Score one for disclosure. After being publicly flamed for taking a poor stance on security, Moonpig, a popular UK retailer for personalized greeting cards, has taken down their API, which was so badly implemented that it could have exposed the account details of 3.6 million customers.The company hasn’t issued a statement, but they were told about the flaws by Paul Price in 2013. Price, a developer by trade, sat on his findings, hoping to get the company to fix their code, but posted the details publicly after essentially being ignored.One year after he first disclosed the problems, to which the company blamed legacy code, Price emailed to check on the status of a fix (as the API used by Moonpig was still stuck with the same flaws). The company promised a resolution after Christmas, but never delivered. Price disclosed his findings on Monday.“Initially I was going to wait until they fixed their live endpoints but given the timeframes I’ve decided to publish this post to force Moonpig to fix the issue and protect the privacy of their customers (who knows who else knows about this!). ~17 months is more than enough time to fix an issue like this. It appears customer privacy is not a priority to Moonpig,” Price wrote in his disclosure. Around the time Price’s findings were circulating online, the social media team for Moonpig were talking about relaxing with a cup of tea. The broken API had the ability to leverage OAuth 2.0, which would have fixed the issues, but it was never implemented.The company has made no comment on the vulnerability, or offered an explanation as to why account information, such as names, addresses, limited credit card details, and order data, was so poorly defended. Hours after Price’s findings were published Moonpig, or perhaps the parent company PhotoBox, pulled the API offline.So again, score one for disclosure.Price tried to do the right thing, but the company ignored the issue fore 17 months, forcing his hand. In this case, full disclosure (my personal preference) is exactly what was needed. Related content news Gwinnett Medical Center investigating possible data breach After being contacted by Salted Hash, Gwinnett Medical Center has confirmed they're investigating a security incident By Steve Ragan Oct 02, 2018 6 mins Regulation Data Breach Hacking news Facebook: 30 million accounts impacted by security flaw (updated) In a blog post, Facebook’s VP of product management Guy Rosen said the attackers exploited a flaw in the website's 'View As' function By Steve Ragan Sep 28, 2018 4 mins Data Breach Security news Scammers pose as CNN's Wolf Blitzer, target security professionals Did they really think this would work? By Steve Ragan Sep 04, 2018 2 mins Phishing Social Engineering Security news Congress pushes MITRE to fix CVE program, suggests regular reviews and stable funding After a year of investigation into the Common Vulnerabilities and Exposures (CVE) program, the Energy and Commerce Committee has some suggestions as to how it can be improved By Steve Ragan Aug 27, 2018 3 mins Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe