Full Report
Moonpig, the online personalised card company, has been accused of a shockingly sloppy attitude to security, after apparently leaving a serious hole in its security unpatched.
Analysis Summary
# Vulnerability: Unauthenticated API Access to Customer Data at Moonpig
## CVE Details
- CVE ID: N/A (No formal CVE assignment mentioned in the article)
- CVSS Score: N/A (Severity must be inferred based on impact/context; likely High given the scope)
- CWE: CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) or CWE-287 (Improper Authentication)
## Affected Systems
- Products: Moonpig (Online personalized card company)
- Versions: Not specified, but affects the customer API endpoint in question.
- Configurations: Any configuration using the vulnerable API endpoint for customer lookups.
## Vulnerability Description
The vulnerability involves a critical flaw in the Moonpig API where customer records could be accessed without any form of authentication. By simply altering the `Customer ID` number sent in an API request, an attacker could retrieve the personal data of other customers. Furthermore, the API calls were not rate-limited, implying that an attacker could potentially brute-force (enumerate) all Customer IDs to exfiltrate the entire customer database records. The vulnerability was initially reported to Moonpig in August 2013 and remained unpatched for approximately 17 months before being disclosed publicly by the researcher in January 2015.
## Exploitation
- Status: Disclosure of technical details implies potential for exploitation; researcher went public due to inaction.
- Complexity: Low (Requires "a modicum of programming knowledge" and sequential testing/enumeration).
- Attack Vector: Network (API interaction).
## Impact
- Confidentiality: High (Access to names, dates of birth, email addresses, and home addresses for 3.6 million customers).
- Integrity: Low (No direct mention of data modification capabilities).
- Availability: Low (No direct impact on service availability mentioned, though the affected API appears to have been taken offline post-disclosure).
## Remediation
### Patches
- The article states that at the time of writing, Moonpig "appears to have shut down access to its offending API." Specific patch versions or fixes were not detailed.
### Workarounds
- No specific workarounds were detailed, other than the vendor presumably taking the flawed API offline.
## Detection
- Indicators of Compromise: High volume of sequential, non-authenticated API lookups targeting customer endpoints.
- Detection methods and tools: Monitoring API traffic for unusual patterns of Customer ID enumeration or requests lacking valid authorization tokens against the customer data endpoint.
## References
- Vendor advisories: None publicly referenced in the summary.
- Relevant links - defanged:
- Researcher disclosure outlining the vulnerability: hxxp://www.ifc0nfig.com/moonpig-vulnerability/