Moonpig.com Vulnerability – Exposes customer data

I&#x27;ve seen dumber. In my second real job, I was a book editor, but I noticed our web master literally had a file called accounts.js which held a static array of usernames, passwords, and billing information for all of our customers. I told him this was terrible security, and he said, literally, &quot;You&#x27;d have to view source to even know passwords.js exists, and our source is pretty hard to read. I&#x27;m not worried.&quot;<p>I took all the info to our CEO and got him demoted to server maintenance guy, on the spot, and I took over his job.<p>He later gloated that my store was much slower than his, since he downloaded our entire database as JS flat files and did absolutely everything client-side except payment processing and order fulfillment. I pointed out that my store didn&#x27;t require 10 megabytes of download for the first page view, plus I had industry-standard security.<p>He was in even more trouble a couple of weeks after that, because some russian hackers pwned our server so bad that we had to drive to the colo and replace it with a new piece of hardware. I&#x27;ve got a dozen stories about this guy, he&#x27;s a hoot.<p>Okay, last story, I promise; he&#x27;s allergic to electronics power supplies, so he was the only employee who got to work from home (where he kept his CPU in a separate room from his keyboard and monitor).

I am a former customer of theirs (in the UK) and just contacted CS about this. I&#x27;m also looking into contacting the Information Commissioner&#x27;s Office as this issue is still open and my personal information (and that of the people I send cards to) is still available to anyone who may want it.<p>I&#x27;m pretty sure them ignoring this for a year is illegal as it involves personal information which their privacy policy didn&#x27;t authorise them to publish. However I&#x27;ll leave it to the ICO to make that determination.

<a href="http://www.conosco.com/case-studies/moonpig-outsourced-it/" rel="nofollow">http:&#x2F;&#x2F;www.conosco.com&#x2F;case-studies&#x2F;moonpig-outsourced-it&#x2F;</a><p>&gt;Protection against cyber attacks<p>Wow...

To anyone thinking of enumerating the customer IDs to play with this, be very careful as it&#x27;s illegal in the USA. That is exactly what weev was arrested and convicted for.

Apparently they hired these guys to help with &quot;protection against cyber attacks&quot;<p><a href="http://www.conosco.com/case-studies/moonpig-outsourced-it/" rel="nofollow">http:&#x2F;&#x2F;www.conosco.com&#x2F;case-studies&#x2F;moonpig-outsourced-it&#x2F;</a><p>Awful...

Surely this is bad enough to warrant criminal prosecution? Not sure if that&#x27;s even possible in the UK but it ought to be...Shameful to have sat on that for over a year. Shameful.

Disgusting - this should be priority one for them to fix.<p>I just changed all my details to ones from a fake name&#x2F;address generator, then emailed moonpig to close my account. I will lose about 80 pence, but nevermind.<p>I didn&#x27;t see an option to get rid of my credit card details, so that may still be vulnerable, especially with the NameOnCard field in the api.

Wow. This is actually still wide open. This is really bad.<p>Fun fact - you don&#x27;t even have to send the basic aut header - it&#x27;ll respond just fine without it.

I&#x27;m sure the (outsourced) dev team will have a bad day tomorrow. This is just unacceptable. According to the blog post he first made contact in 2013! Bugs happen, but this is just bad design.

My comment from the other thread:<p>They also make it very difficult to delete your account. Rather than just have a link on the site, you have to contact customer services and they say they&#x27;ll respond in 24-48 hours.<p>Not to mention the ways they try to hide you removing your card details. If you want to remove your card details, do the following:<p><i>The easiest way to do this would be to go to the My Account page then click on the ‘Add Moonpig Prepay Credit’ link, click on the Buy link and your saved card details will be shown onscreen. Click on the ‘Remove Card’ option. </i>

Looks like the API is no longer accessible from here. Seems like they have pulled it down.

In the address example you can even emit the arguments and it just returns you a large list of addresses. Would expect this to be hitting the news here in the UK tomorrow!<p>Judging by their parent companies website they seem to be PCI certified (<a href="http://careers.photobox.co.uk/security-officer-moonpig/" rel="nofollow">http:&#x2F;&#x2F;careers.photobox.co.uk&#x2F;security-officer-moonpig&#x2F;</a>) which is likely to be removed from them after this, also given the private information on show I would expect this breach of the data protection act to be meaning a large fine for them.<p>For anyone at risk from this you can&#x27;t just cancel your account, but you can manually go through and delete quite a bit of data such as address books and they then disappear from the API calls.

They have 3 other brands: <a href="http://photobox.co.uk" rel="nofollow">http:&#x2F;&#x2F;photobox.co.uk</a> <a href="http://uk.paper-shaker.com" rel="nofollow">http:&#x2F;&#x2F;uk.paper-shaker.com</a> <a href="https://sticky9.com" rel="nofollow">https:&#x2F;&#x2F;sticky9.com</a><p>Only the later seems to enforce SSL. I registered a dummy account on photobox, username&#x2F;password&#x2F;email, via their form which was not using ssl.

It&#x27;s astonishing that somewhere out in the modern world there&#x27;s an api that returns personally identifiable information without requiring any sort of authentication.<p>What I find absurd is that the company hasn&#x27;t done anything about it. Even if they don&#x27;t care&#x2F;know about security they must at least care for bad PR...<p>But with all of that in mind, I don&#x27;t know what&#x27;s the best way to fight these clueless behemoths. You disclose and thousands or even millions of people will be compromised. You don&#x27;t and those same people could be compromised but no one will know because the attacker(s) will just continue to siphon information quietly.<p>They should be waterboarded for making a responsible individual have to choose.<p>For the record, I approve of this disclosure. Better to know the evil than let it go on unnoticed.

On top of this clusterfuck, I find it galling that I can&#x27;t just close my account and have all my details removed. Oh, no you need to fill in a contact form.

Lots of users on Twitter saying to delete your account, but is there any proof that this will exclude your account from the API?

This is irresponsible disclosure. You should have contacted the information commissioners office. They would have used legal powers to force Moonpig to rectify this. There are very steep penalties for not protecting customer data.<p>Now that you&#x27;ve publicly disclosed this, opportunists (people one level above script kiddies) will probably grab a data dump and compromise every customer.<p>Dealing with this via legal channels would have ensured a resolution whilst protecting customer data from any opportunistic bad actor.<p>Shame on you. I can&#x27;t wait for myself and my wife to get doxxed now. Thanks.<p>Also, FYI; the whole card number isn&#x27;t returned because they are probably tokenising the full card number with their payment gateway.... Or at least, I hope.<p>DOWNVOTING because you don&#x27;t agree with me? How rude. I believe I&#x27;m a making a valid point, there are legal channels in place to help with this sort of thing.<p>EDIT. someone people think I do no hold moonpig responsible for this. I do! I am not blaming the security researcher. What I am saying is that some countries (like the one where moonpig is incorporated and operates) have agencies that deal with issues like these. Getting these agencies involved before public disclosure is a much nicer way to deal with these sorts of issues.<p>I&#x27;m aware that this exploit may already have been used but that doesn&#x27;t mean that we should tell everyone about it until it is resolved. Getting the ICO involved may have resolved this issue a long time ago.<p>My disclosure - I have a friend that works at the ICO and she tells me that these issues usually take them (on average) 2 months to sort out. COmpanies get very anxious when the ICO contact them.