Moonpig customers' personal details exposed in "simple API flaw" in Android mobile app

"There's no authentication at all," blast security specialists as Moonpig takes down its mobile apps

Moonpig, the popular greetings card and gifts website, has had the accounts of three million users compromised after an attack on the company's website by hacking group "p0wned".

The attack, according to reports, exploited a simple API flaw. The company has closed its mobile apps, which featured the flaw, in response.

As details of the security flaw that was exploited emerged, the company was widely criticised for its apparent lackadaisical attitude to users' security - and the personal details that may have been exposed, which include at least the last four digits of credit card numbers and their expiry dates.

One security specialist, Paul Price, wrote: "I've seen some half-arsed security messures in my time but this just takes the biscuit. Whoever architected this system needs to be shot waterboarded."

The vulnerability enables anyone to access the names, dates of birth, email and home addresses of the company's 3.6 million customers with no more than the customer ID number sent in an API request, according to Price.

Following a detailed technical explanation, Price continued: "There's no authentication at all and you can pass in any customer ID to impersonate them. An attacker could easily place orders on other customers accounts, add/retrieve card information, view saved addresses, view orders and much more.

"At this point one would usually decompile the APK [Android application package] and see if there are any hidden API methods but on this occasion there's no need, Moonpig have made it easy for us. If you hit the API endpoint with an unknown method you'll get a custom 404 with a link to a help page listing every method available in their API with helpful descriptions. The help page also exposes their internal network DNS set-up - but that's another story."

The security flaw is not new, claims Price.

He writes that he has attempted to contact them to highlight the security shortcoming since August 2013. "Initially I was going to wait until they fixed their live endpoints, but given the time-frames I've decided to publish this post to force Moonpig to fix the issue and protect the privacy of their customers (who knows who else knows about this!). Seventeen months is more than enough time to fix an issue like this. It appears customer privacy is not a priority to Moonpig," writes Price.

The company claims that customer user names and passwords, and credit card details were not exposed by the security flaw, although users may be at risk of identity theft.