Three Million Moonpig accounts exposed by flaw

  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  

An issue has been discovered which has left three million Moonpig accounts exposed by flaw which exposes personal records and partial credit card details for some three million customer, almost 18 months after it was reported.

The failure, discovered and privately reported by developer Paul Price, meant every account and the names, birth dates, and email and street addresses could be accessed by changing the customer identification number sent in an API request as shown below.

Three Million Moonpig accounts exposed
Three Million Moonpig accounts exposed

 

 

 

 

 

 

 

 

 

 

In Price’s tests he discovered that the API calls were not rate-limited, meaning that in theory it appears it would be possible to work your way through every variation of the Customer ID and therefore allow orders to be placed under any account. Credit card expiry dates and last four digits could also be extracted.

The following two tabs change content below.

Unallocated Author

Please note that the article you are reading has an unallocated author as the original author is no longer employed at latesthackingnews.com, this has been put in place to adhere with general data protection regulations (GDPR). If you have any further queries, please contact: [email protected]

Unallocated Author

Please note that the article you are reading has an unallocated author as the original author is no longer employed at latesthackingnews.com, this has been put in place to adhere with general data protection regulations (GDPR). If you have any further queries, please contact: [email protected]

Leave a Reply