Online greeting card firm Moonpig has finally suspended its mobile apps 17 months after being warned of serious security flaws.
The company has come under fire from security experts and customers for taking so long to respond.
Many took to Twitter to voice their opinions with tweets like: “Hey @MoonpigUK, this is completely and utterly unacceptable. Existing customers, beware.”
Developer Paul Price discovered serious security flaws in Moonpig’s Android mobile app that could enable hackers to access personal details of customers in August 2013.
Price immediately alerted Moonpig, owned by the PhotBox Group since 2011. He followed up in September 2014, when he was told the issue would be resolved "before Christmas".
When no action was taken, Price decided to go public with the information in a blog post, prompting the company to suspend its apps and launch an investigation.
More on responsible disclosure
- Dutch government publishes security flaw disclosure guide
- Microsoft seeks true 'responsible' vulnerability disclosure
- Microsoft calls for responsible disclosure of security flaws
- Is a full vulnerability disclosure strategy a responsible approach?
- Katie Moussouris of Microsoft on vulnerability disclosure, ISO standard
“We can assure our customers that all password and payment information is and has always been safe,” the company said in a statement.
Moonpig said that as a precaution, its mobile apps will be unavailable while it investigates, but said its desktop and mobile websites are unaffected.
In his blog post, Price said: “I've seen some half-arsed security mesures in my time but this just takes the biscuit. Whoever architected this system needs to be
He claimed that with a bit of manipulation he was able to uncover the customer IDs, names, dates of birth, email and home addresses, and some credit card details of other Moonpig customers.
Price said he found the Android app did not use any authentication methods, which meant he could enter any customer ID to impersonate them.
“An attacker could easily place orders on other customers’ accounts, add/retrieve card information, view saved addresses, view orders and much more,” he said.
The issue of responsible disclosure has been highlighted recently by a bug research group at Google publically disclosing a Windows 8.1 zero-day vulnerability before Microsoft had issued a patch.
Google’s policy is to give software supplier’s just 90 days to remediate any flaws its team of researchers discovers.
Price maintains he has acted responsibly by first going to Moonpig with his discovery.
“Initially I was going to wait until they fixed their live endpoints but, given the timeframes, I've decided to publish this post to force Moonpig to fix the issue and protect the privacy of their customers (who knows who else knows about this!).
“17 months is more than enough time to fix an issue like this. It appears customer privacy is not a priority to Moonpig,” he wrote in his blog post.
Chris Boyd, malware intelligence analyst at security firm Malwarebytes, said too much time has elapsed between notification and any attempt at a fix.
“At the very least, one would expect the company to notify customers by email to let them know there's an issue, providing steps they can take to try and avoid falling foul of anybody using this for personal gain,” he said.
System not built with security in mind
Independent security consultant Graham Cluley said Moonpig’s system was clearly not built with security in mind.
“That’s very bad, as its databases contains sensitive information and it could clearly be easily abused by online criminals and fraudsters.
Providers also have a responsibility to ensure secure communication between the customers and their own systems
David Emm, Kaspersky Lab
“But what I find worse is Moonpig’s failure to adequately respond when it has been given such a long time to do so,” he wrote in a blog post.
Cluley said he would have preferred Price to have gone to the media to apply pressure on Moonpig to respond rather than making details of the vulnerability public.
“However, after waiting 17 months, I can certainly understand the frustration felt by someone who has tried to get the problem fixed and found a company that clearly wasn’t listening,” he wrote.
Kaspersky Lab principal security researcher David Emm said it is important companies take information about vulnerability in their products very seriously.
“If this vulnerability is confirmed, and it's true that Moonpig has previously failed to take any action to protect their customers for almost a year and a half, this is alarming – especially for a provider of an online shopping application used to transmit highly sensitive data,” he said.
Emm said users of online services have a responsibility to secure themselves by only using secure web sites, legitimate apps and using unique, complex passwords.
“However, providers also have a responsibility to ensure secure communication between the customers and their own systems,” he said.
APIs a security concern
Rapid7 global security strategist Trey Ford said application programming interfaces (APIs) have been an area of concern in cyber security community for years.
“An internet-exposed API is serving requests from the public internet – they are often poorly documented, insufficiently logged and routinely overlooked in security testing.
“This is further complicated by different developers using and expanding the API in unexpected ways. Moonpig and Photobox, like many other organisations should be, is taking a hard look at the security of their APIs,” he said.