Moonpig: not so careful with your sensitive details
A vulnerability has been found on the Moonpig website which means a ne'er-do-well could get at all your details, including your card number... and it looks like the card-vendor isn't doing anything about it.
Despite their hokey 'Oh, we're just a little company with a crappy hand drawn logo, not like those awful huge businesses' image, Moonpig actually have millions of customers and have sold around 6 million cards.
Website ifc0nfig.com had a look at the security of the Moonpig site and, after ferreting around said: "I've seen some half-arsed security measures in my time but this just takes the biscuit. Whoever architected this system needs to be waterboarded."
Moonpig's site uses a basic authentication rather than a session key, which isn't great and from that point on, continues to get worse. Basically, what was found was that "an attacker would find it very easy to build up a database of Moonpig customers along with their addresses and card details in a few hours", which is rather unpleasant and very shoddy on behalf of the company.
And to make matters worse, Moonpig aren't at all bothered.
After the vulnerability was discovered, trying to be responsible, the site contacted Moonpig. They contacted them in 2013! And now, there's nothing being done.
Here's what the site said:
18th Aug '13 - (yes, 2013!) Initial contact made with vendor. After a few e-mails back and fourth their reasoning was legacy code and they'll "get right on it".
26th Sep '14 - Follow up e-mail. Issue still not resolved. ETA "after Christmas"
5th Jan '15 - Vulnerability still exists with ample amount of time given to vendor to fix the issue.
Initially I was going to wait until they fixed their live endpoints but given the timeframes I've decided to publish this post to force Moonpig to fix the issue and protect the privacy of their customers (who knows who else knows about this!). ~17 months is more than enough time to fix an issue like this. It appears customer privacy is not a priority to Moonpig.
If you're really techie and want to see what this all looks like under the hood, check out the site's report on it all.