Moonpig has ceased transactions through its mobile apps after a concerned cyber-security expert exposed a site vulnerability which endangered the financial details of its 3.6 million customers.
The website, which lets customers purchase specially customised greetings cards, pulled its iOS and Android apps after security expert Paul Price published details of the site’s vulnerability after his warnings to Moonpig allegedly fell on deaf ears.
As a result of the site’s poor security measures, Moonpig was wide open to attacks designed to capture customer names, addresses, email addresses and card details, according to Price.
He claimed to have informed the company of the fault as early as 18 August 2013. Yet one and a half years later the flaw was still unaddressed despite staff assuring him it would be corrected “before Christmas” 2014.
“I've seen some half-arsed security measures in my time but this just takes the biscuit. Whoever architected this system needs to be shot or waterboarded.
“Given that customer IDs are sequential an attacker would find it very easy to build up a database of Moonpig customers along with their addresses and card details in a few hours - very scary indeed,” he said.
Price concluded: “An attacker could easily place orders on other customers’ accounts, add/retrieve card information, view saved addresses, view orders and much more.”
A Moonpig spokesperson said: “Moonpig has taken the app offline. As a precaution, our apps will be unavailable for a time whilst we conduct these investigations and we will work to resume a normal service as soon as possible.”
The firm addressed customer concerns on Twitter.
We are aware of claims re customer data and can confirm that all password and payment information is and has always been safe.
— Moonpig (@MoonpigUK) January 6, 2015