A severe vulnerability in the API used by Moonpig's Android app has highlighted the need for organisations to apply greater scrutiny to the security of their apps and endpoints. Through its apps and website, the custom greetings card company sends out more than 12 million cards every year and turned over £53 million last year.
By enumerating an easily predictable sequence of user ID numbers, anyone could retrieve various information about millions of Moonpig customers, including names, addresses, and some credit card details. Because there was no authentication mechanism for the API, an attacker could also have placed orders on other customers' accounts.
Unlike with traditional web applications, much of what goes on beneath the glossy facade of an app is hidden from the user — but with the right tools and the right knowledge, it can be trivial to identify and exploit any vulnerabilities that might affect it. The Moonpig vulnerability exemplifies this, as the problem was not only easy to spot, but could be exploited simply by pasting a modified URL into a standard web browser.
The Moonpig vulnerability stemmed from the fact that the API trusted data sent from the app, without considering that it could have been altered or fabricated by a malicious party. This type of vulnerability fundamentally compromises the security of the application and the data it handles, and would likely be quickly identified in a third-party security test of the API.
The danger posed by this vulnerability was compounded by Moonpig's failure to react promptly — Moonpig purportedly knew about this issue 17 months ago after it was reported by one of its own customers. However, Moonpig failed to shut down or fix the vulnerable service until after the vulnerability was publicly disclosed last night.
Moonpig issued the following statement on its website today:
You may have seen reports this morning about our Apps and the security of customer details when shopping with Moonpig. We can assure our customers that all password and payment information is and has always been safe. The security of your shopping experience at Moonpig is extremely important to us and we are investigating the detail behind today's report as a priority. As a precaution, our Apps will be unavailable for a time whilst we conduct these investigations and we will work to resume a normal service as soon as possible. The desktop and mobile websites are unaffected.
Netcraft offers Mobile App Security Testing services and traditional Web Application Security Testing, both of which include testing of relevant APIs and other endpoints that may be commonly overlooked. Contact us at firstname.lastname@example.org to discuss your requirements.