There’s a big problem with Moonpig, the website that lets you send your friends and family personalised greeting cards. The company has turned off its mobile apps while it figures out the problem.
Security researcher Paul Price discovered that a flaw in Moonpig’s apps can be used to find personal information about the site’s customers.
Price looked at code sent from Moonpig’s Android app to the main server. It can be easily manipulated to reveal information including addresses, names, dates of birth, credit card expiry dates and even the last four digits of credit card numbers.
Worryingly, it doesn’t look like the vulnerability was fixed, even after Moonpig was notified of the problem in August 2013. Price says that he was told Moonpig would “get right on” fixing the code, but that never happened.
The Register is reporting that up to 3 million customers may have had their personal information leaked as part of the security vulnerability. There’s no evidence that anyone has actually used the exploit to find the information of customers, but considering that the security flaw has been around since 2013, it’s certainly possible.
Moonpig hasn’t issued a statement on the vulnerability. It does look like it’s shut off its API, however, meaning that people can’t use it. Purchases have also been suspended through its iOS and Android app.