14 DAY TRIAL // A security oversight in Moonpig reported by a developer in August 2013 offered an attacker the possibility to extract sensitive information from the accounts of customers, as well as impersonate them and place orders in their stead.
An attack could be carried out by simply changing the customer ID delivered through an API request from the Android application for the service.
No authentication for Android users
Paul Price, the developer who discovered the flaw, started by investigating the API requests and found out that the service used static credentials on each of them, meaning that the client would be authenticated with the same pair of username and password, the only parameter altered being the customer ID.
In a blog post published on Monday, Price says that by creating another account he was able to access information from a different profile, which included the name of the owner, birth date, email address, the last four digits of the payment card, saved addresses, as well as the history of orders.
“Every API request is like this, there's no authentication at all and you can pass in any customer ID to impersonate them. An attacker could easily place orders on other customers accounts, add/retrieve card information, view saved addresses, view orders and much more,” he wrote.
The security blunder is much deeper than this, as when triggering an error from the API endpoint, a help page is served, complete with all the methods available in the API, and their descriptions.
Price says that the internal network DNS settings also become available, leaving the door open for a new type of attack.
It appears that although the API used by Moonpig services integrates support for Oauth 2.0 authentication and authorization protocol, which would have eliminated the glitch in the first place, it is not implemented on the Android client.
Moonpig has more than three million customers
The developer also tested to see if there was any limitation as far as accessing multiple accounts in a rapid succession is concerned and discovered that no restriction had been enforced.
“Given that customer IDs are sequential an attacker would find it very easy to build up a database of Moonpig customers along with their addresses and card details in a few hours,” he concluded.
Moonpig is estimated to have more than three million customers, since the initial private disclosure was done on August 18, 2013. In an email in September 2014 to Moonpig touching on this issue, Price was told that the fix would come after Christmas.
On January 5, the problem still existed and the developer decided to make the matter public. This prompted Moonpig to make their apps unavailable until things would be sorted out.