Three million Moonpig accounts exposed by flaw

Darren Pauli reports:

Custom mugs and tat outfit Moonpig has a signficant flaw that exposes personal records and partial credit card details for some three million customer (sic), almost 18 months after it was reported.

The failure, discovered and privately reported by developer Paul Price, meant every account and the names, birth dates, and email and street addresses could be accessed by changing the customer identification number sent in an API request.

Orders could be placed under any account. Credit card expiry dates and last four digits could be plucked out using a handy insecure API.

Read more on The Register.

Update: On Twitter, MoonpigUK tweeted:

Their tweet was met with skepticism and derision.

About the author: Dissent