

Moonpig.com Vulnerability – Exposes customer data - PaulSec
http://www.ifc0nfig.com/moonpig-vulnerability/

======
knodi123
I've seen dumber. In my second real job, I was a book editor, but I noticed
our web master literally had a file called accounts.js which held a static
array of usernames, passwords, and billing information for all of our
customers. I told him this was terrible security, and he said, literally,
"You'd have to view source to even know passwords.js exists, and our source is
pretty hard to read. I'm not worried."

I took all the info to our CEO and got him demoted to server maintenance guy,
on the spot, and I took over his job.

He later gloated that my store was much slower than his, since he downloaded
our entire database as JS flat files and did absolutely everything client-side
except payment processing and order fulfillment. I pointed out that my store
didn't require 10 megabytes of download for the first page view, plus I had
industry-standard security.

He was in even more trouble a couple of weeks after that, because some russian
hackers pwned our server so bad that we had to drive to the colo and replace
it with a new piece of hardware. I've got a dozen stories about this guy, he's
a hoot.

Okay, last story, I promise; he's allergic to electronics power supplies, so
he was the only employee who got to work from home (where he kept his CPU in a
separate room from his keyboard and monitor).

~~~
wiuiu
"I took all the info to our CEO and got him demoted to server maintenance guy,
on the spot, and I took over his job"

WOW. You are a terrible human being.

~~~
__david__
> WOW. You are a terrible human being.

Yes, heaven forbid someone qualified run their IT dept. What's he supposed to
do? Sit around, idly hoping that someone else notices the incompetence?

I think OP made the right move. To me it sounds like the guy should have been
fired rather than demoted.

~~~
wiuiu
really David ? Come on. How many times you made mistake ? Were you demoted
and/or fired for mistake ? Now, let's not argue that you or all of us has not
fucked up. In my 7 yrs. as engineer I have seen worse. However, that's not
excuse to run to boss/CEO to demote someone and take over their job. Think
about their family,kids before you do such act.

If you defend such behavior for taking over job/demotion I seriously think
there lies greater problem in tech community.

Edit: HN is getting fucked up day by day. Any simple disagreement is greeted
with downvotes. Carry on.

~~~
cleverjake
"you are a terrible human being" is not really a simple disagreement.

"That seems like a rude thing to do" would be.

What you said was a personal attack, and a quite rude one at that.

~~~
dang
> What you said was a personal attack, and a quite rude one at that.

That's correct, and no doubt the reason for the downvotes.

~~~
waterlesscloud
The downvotes here have grown way out of control. Simple disagreement with the
majority opinion results in massive downvoting.

I've even seen numerous posts that contain nothing but factual information
that displeases the audience here be voted down into the gray. The post can be
in the flattest, most neutral tone possible, and if it's not what people want
to hear, down it goes.

It's discouraging, and it's to a point where I no longer feel a desire to
participate in this community. Frankly, I'm finding a number of subreddits to
be more inviting and more interesting these days.

I don't really see what can be done about it, if you even agree it's an issue,
but I did want to make a point of letting you know about a problem I've seen
grow worse over recent months.

~~~
DanBC
Do you have links to examples?

------
Someone1234
I am a former customer of theirs (in the UK) and just contacted CS about this.
I'm also looking into contacting the Information Commissioner's Office as this
issue is still open and my personal information (and that of the people I send
cards to) is still available to anyone who may want it.

I'm pretty sure them ignoring this for a year is illegal as it involves
personal information which their privacy policy didn't authorise them to
publish. However I'll leave it to the ICO to make that determination.

~~~
justincormack
My guess is that the ICO wont fine them very much as it did not include full
credit card numbers. However they might up it for failings in process, lots of
remedial measures etc.

They might not even have PCI compliance issues alas.

The management will argue that they knew nothing, although that is becoming
less of a defence now.

~~~
iamtew
Doesn't matter, if they're a UK based company they fall under the EU GDPR and
can receive a fine of 5% of their worldwide turnover for any loss of personal
data, blanked out credit card numbers or not.

[http://en.wikipedia.org/wiki/General_Data_Protection_Regulat...](http://en.wikipedia.org/wiki/General_Data_Protection_Regulation#Summary)

~~~
peteretep
There are more egregious examples of data protection violation here, and the
fines look pretty small:

[https://ico.org.uk/action-weve-taken/enforcement/](https://ico.org.uk/action-
weve-taken/enforcement/)

------
ksk
[http://www.conosco.com/case-studies/moonpig-outsourced-
it/](http://www.conosco.com/case-studies/moonpig-outsourced-it/)

>Protection against cyber attacks

Wow...

~~~
breakingcups
They've already removed it...

~~~
gbuckingham89
Google cached version:
[http://webcache.googleusercontent.com/search?q=cache:gkzZ7YK...](http://webcache.googleusercontent.com/search?q=cache:gkzZ7YKoCQYJ:www.conosco.com/case-
studies/moonpig-outsourced-it/+&cd=1&hl=en&ct=clnk&gl=uk&client=safari)

------
driverdan
To anyone thinking of enumerating the customer IDs to play with this, be very
careful as it's illegal in the USA. That is exactly what weev was arrested and
convicted for.

~~~
tripzilch
> That is exactly what weev was arrested and convicted for.

Please don't spread this misinformation, the USA justice system doesn't work
(... like that). Weev was arrested for having a (very, _very_ ) loud mouth and
pissing off the wrong, powerful people/businesses/corporations.

If he'd have enumerated customer IDs for a smaller, lesser-known company such
as Moonpig, reported it to the media like he did, without being all
inflammatory and trollish[0] about it (or without having a history of
allegedly doing such things in very different contexts), he'd have gotten a
slap on the wrist, a fine, or something (if anything), but not been thrown
into prison as he was.

Your post makes it seem like Weev was convicted "for" doing something that is
illegal in the USA and that the justice system worked "exactly" how it is
supposed to, equally as it would apply to anyone.

[0] stating this as a fact of how it happened, not judging him about this, at
all

~~~
driverdan
There is more context to his arrest but the actions and evidence supporting
his conviction were as I described.

------
josephwegner
Apparently they hired these guys to help with "protection against cyber
attacks"

[http://www.conosco.com/case-studies/moonpig-outsourced-
it/](http://www.conosco.com/case-studies/moonpig-outsourced-it/)

Awful...

~~~
dyadic
It's worth pointing out that the case study is from 2007, there's a good
chance that this company is no longer involved and likely wasn't involved in
building the API for apps and the security on them.

~~~
bbcbasic
In any case, once this is out, they will have to take the Moonpig case study
from their site.

~~~
flurdy
Yup that link is now 404

------
dabeeeenster
Surely this is bad enough to warrant criminal prosecution? Not sure if that's
even possible in the UK but it ought to be...Shameful to have sat on that for
over a year. Shameful.

~~~
steakejjs
If this were the USA it would certainly be bad enough to warrant prosecution
of the researcher. I am not familiar with laws in the UK, however. Keep in
mind the similarities between this research and weev's research.

This type of blatant insecurity definitely should be punished and I wish more
policy makers both cared, and made the effort to understand the terminology
behind phrases like "No authentication", "Plaintext", Etc.

~~~
meowface
First of all, the company could definitely be sued for negligence in the US.
Not sure if they could in the UK.

Second, there are not that many similarities between this research and weev's
research. In this case, the researcher created 2 accounts which he had control
over, then read data from both of the accounts despite not authenticating to
either of them. He did not access any other customer's information (or at
least he's suggesting he didn't).

Weev on the other hand scraped private information for over 100,000 customers
and shared it with friends and reporters.

Both technically violated the CFAA, but weev's offense is a much greater
violation of customer privacy, while this researcher has not violated anyone's
privacy.

I still don't think weev should have gotten any jail time, but you're making
an unfair comparison.

~~~
richardwhiuk
Personally (and I know this is likely to be an unpopular sentiment on HN) I
have very little sympathy for weev.

He knowingly and deliberately attack a weakness he had found to scrape data,
knowing that the access was unauthorized. I disagree that the data was in the
public domain (although the Third Circuit disagrees) - just because something
is accessible to the public doesn't mean it's in the public domain.

Just because he wrote it up as a security researcher doesn't mean he should be
immune for his actions - in fact in some ways it makes it worse because he did
it knowing that he was unauthorized.

He exposed the vulnerability to the press (so he didn't act in good faith
regarding the disclosue) and he did so potentially for monetary gain (he
claimed to be a member of a hacker group called “the organization,” making $10
million annually).

I think one part of improving cyber security is prosecuting people who
deliberately and maliciously hack into other systems who do so for either
monetary gain or fame. I think this is especially the case whereby they don't
act in good faith (e.g. providing proper disclosure).

~~~
geographomics
I agree, and feel that the EFF made quite the strategic error in supporting
Auernheimer's appeal.

~~~
teddyh
“ _The trouble with fighting for human freedom is that one spends most of
one’s time defending scoundrels. For it is against scoundrels that oppressive
laws are first aimed, and oppression must be stopped at the beginning if it is
to be stopped at all._ ”

— H. L. Mencken

~~~
throwawaykf05
_> "For it is against scoundrels that oppressive laws are first aimed..."_

[Citation Needed]

------
bbcbasic
Disgusting - this should be priority one for them to fix.

I just changed all my details to ones from a fake name/address generator, then
emailed moonpig to close my account. I will lose about 80 pence, but
nevermind.

I didn't see an option to get rid of my credit card details, so that may still
be vulnerable, especially with the NameOnCard field in the api.

~~~
Nexxxeh
I know my mum has a Moonpig account so I'm pissed about this, but I don't
recall if I have an account.

Recently, I have mostly been using CFHDocmail. It's 96p for a full colour A5
greeting card of your own design.

(It's also cheaper to use them to send letters than it is for me to buy a
stamp. They also do postcards, going as low as 38p delivered. Lots of
mailmerge and API stuff available too iirc, but I've never used any of it.)

Edit: They may use windowed envelopes for the cards, when I tested they
didn't, but now I've been told they do. I've not sent one to myself since my
original testing, and none of the recent recipients have said either way. I'll
make a quick one and sent it to myself!

------
troels
Wow. This is actually still wide open. This is really bad.

Fun fact - you don't even have to send the basic aut header - it'll respond
just fine without it.

------
AAtticus
I'm sure the (outsourced) dev team will have a bad day tomorrow. This is just
unacceptable. According to the blog post he first made contact in 2013! Bugs
happen, but this is just bad design.

------
LukeB_UK
My comment from the other thread:

They also make it very difficult to delete your account. Rather than just have
a link on the site, you have to contact customer services and they say they'll
respond in 24-48 hours.

Not to mention the ways they try to hide you removing your card details. If
you want to remove your card details, do the following:

 _The easiest way to do this would be to go to the My Account page then click
on the ‘Add Moonpig Prepay Credit’ link, click on the Buy link and your saved
card details will be shown onscreen. Click on the ‘Remove Card’ option._

------
51Cards
Looks like the API is no longer accessible from here. Seems like they have
pulled it down.

~~~
hanoz
In the circumstances that might be a generous explanation for their ID
enumerable non rate limited API going down.

------
cdwhitcombe
In the address example you can even emit the arguments and it just returns you
a large list of addresses. Would expect this to be hitting the news here in
the UK tomorrow!

Judging by their parent companies website they seem to be PCI certified
([http://careers.photobox.co.uk/security-officer-
moonpig/](http://careers.photobox.co.uk/security-officer-moonpig/)) which is
likely to be removed from them after this, also given the private information
on show I would expect this breach of the data protection act to be meaning a
large fine for them.

For anyone at risk from this you can't just cancel your account, but you can
manually go through and delete quite a bit of data such as address books and
they then disappear from the API calls.

~~~
MichaelGG
Been a while since I read PCI DSS but if the PAN isn't there, does it specify
you have to protect that information? Also, if they don't actually have the
PAN touch their servers (like, using a BrainTree or Stripe-like solution), PCI
compliance is quite minimal. Even PCI DSS 3.0 is trivial to deal with using
Stripe (they just insert an iframe so the CC info goes directly to their
site).

Of course, yeah, they don't deserve the benefit of the doubt here. Given such
a terrible API they probably are a mess inside, too.

~~~
cdwhitcombe
Reading that job spec I assumed they handle all the PCI side of things
themselves, if using stripe etc I doubt you'd need such an involved role.

Given the mess it looks like on the front, I would bet PAN's are stored in
clear text too!

------
johngd
They have 3 other brands: [http://photobox.co.uk](http://photobox.co.uk)
[http://uk.paper-shaker.com](http://uk.paper-shaker.com)
[https://sticky9.com](https://sticky9.com)

Only the later seems to enforce SSL. I registered a dummy account on photobox,
username/password/email, via their form which was not using ssl.

~~~
dpwm
Photobox acquired Moonpig in 2011 [1]. In 2010, Photobox got called out for
emailing passwords in plaintext[2], and were quick to take to twitter to say
"It will never happen again."[3] At that point, it had only been happening for
4 years [4].

Coupled with the tone of the job advert already posted by others [5], it
doesn't seem too hard to imagine a corporate culture where security is not a
serious concern until things go wrong.

[1]
[http://www.bbc.co.uk/news/business-14275632](http://www.bbc.co.uk/news/business-14275632)

[2] [http://www.pcpro.co.uk/news/security/360163/photobox-
sorry-a...](http://www.pcpro.co.uk/news/security/360163/photobox-sorry-after-
email-screw-up)

[3]
[https://twitter.com/PhotoBox/status/20719242964](https://twitter.com/PhotoBox/status/20719242964)

[4] [http://blog.dave.org.uk/2006/06/more-
password-s.html](http://blog.dave.org.uk/2006/06/more-password-s.html)

[5] [http://careers.photobox.co.uk/security-officer-
moonpig/](http://careers.photobox.co.uk/security-officer-moonpig/)

[edited for clarity]

~~~
mtmail
The number of companies that send (and possibly store) plain text passwords is
scary. I keep reporting them to
[http://plaintextoffenders.com/](http://plaintextoffenders.com/)

~~~
dpwm
I was about to ask why anyone would bother sending plain text passwords and
store them encrypted. I then remembered a high-school friend's first (and
largely unsupervised) job where IIRC he devised a ridiculous password
encryption (not hashing) scheme in PHP (on shared hosting).

Unrelated horror unfolded a couple of years later when for some peculiar
reason he had to move the site to a godaddy VPS. An unencrypted customer
database sitting at /db.sql, fully accessible to the world. Apache had been
configured to show directory indexes and, to take the site offline, /index.php
had been removed. I think at the time I even needed to explain the possible
consequences. I just remember being told that the database was restoring and
it wouldn't take too much longer!

I think any remaining part of me that implicitly trusted interesting websites
with personal data died that day.

------
arielm
It's astonishing that somewhere out in the modern world there's an api that
returns personally identifiable information without requiring any sort of
authentication.

What I find absurd is that the company hasn't done anything about it. Even if
they don't care/know about security they must at least care for bad PR...

But with all of that in mind, I don't know what's the best way to fight these
clueless behemoths. You disclose and thousands or even millions of people will
be compromised. You don't and those same people could be compromised but no
one will know because the attacker(s) will just continue to siphon information
quietly.

They should be waterboarded for making a responsible individual have to
choose.

For the record, I approve of this disclosure. Better to know the evil than let
it go on unnoticed.

~~~
tripzilch
> They should be waterboarded

Except, you know, for the part where that is an inhumane thing to do, even
when done to people that are actually guilty of committing terrible crimes.

> It's astonishing that somewhere out in the modern world there's an api that
> returns personally identifiable information without requiring any sort of
> authentication.

Hello, have you met the 21st century? It's a freakshow and clusterfuck of
planetary proportions. Although even accepting that fact, yes, I suppose that
doesn't make it less astonishing. Spoiler alert: things will probably get even
more astonishing before it gets less. Fasten your seatbelts, wear a hat, etc.

------
teh_klev
On top of this clusterfuck, I find it galling that I can't just close my
account and have all my details removed. Oh, no you need to fill in a contact
form.

------
comeonnow
Lots of users on Twitter saying to delete your account, but is there any proof
that this will exclude your account from the API?

~~~
kirun
It would probably be more effective to update your account with nonsense
details.

------
clobec
This is irresponsible disclosure. You should have contacted the information
commissioners office. They would have used legal powers to force Moonpig to
rectify this. There are very steep penalties for not protecting customer data.

Now that you've publicly disclosed this, opportunists (people one level above
script kiddies) will probably grab a data dump and compromise every customer.

Dealing with this via legal channels would have ensured a resolution whilst
protecting customer data from any opportunistic bad actor.

Shame on you. I can't wait for myself and my wife to get doxxed now. Thanks.

Also, FYI; the whole card number isn't returned because they are probably
tokenising the full card number with their payment gateway.... Or at least, I
hope.

DOWNVOTING because you don't agree with me? How rude. I believe I'm a making a
valid point, there are legal channels in place to help with this sort of
thing.

EDIT. someone people think I do no hold moonpig responsible for this. I do! I
am not blaming the security researcher. What I am saying is that some
countries (like the one where moonpig is incorporated and operates) have
agencies that deal with issues like these. Getting these agencies involved
before public disclosure is a much nicer way to deal with these sorts of
issues.

I'm aware that this exploit may already have been used but that doesn't mean
that we should tell everyone about it until it is resolved. Getting the ICO
involved may have resolved this issue a long time ago.

My disclosure - I have a friend that works at the ICO and she tells me that
these issues usually take them (on average) 2 months to sort out. COmpanies
get very anxious when the ICO contact them.

~~~
d23
You're getting mad at the wrong person here, full stop. This is gross,
inexcusable negligence and incompetence. I'm surprised this guy didn't wait
more than a few months, given the severity of this problem.

> whilst protecting customer data from any opportunistic bad actor

Riiiight. Do you honestly think something this basic wouldn't be discovered by
criminals soon, if not already?

~~~
clobec
> You're getting mad at the wrong person here, full stop.

No I'm not. I;m not angry. I realise this is the fault of Moonpig

>This is gross, inexcusable negligence and incompetence. I'm surprised this
guy didn't wait more than a few months, given the severity of this problem.

I agree

>Riiiight. Do you honestly think something this basic wouldn't be discovered
by criminals soon, if not already?

We don't know if anyone has already used this. We don't know if anyone ever
knew about his. But now we know everyone knows about it. To be honest, I would
not be surprised if someone may have already used this for nefarious purposes
but at this point in time there doesn't seem to be a public dump of data for
low skilled hackers to continue using for years to come.

I still think this should not have been publicly disclosed in this manner. He
did not contact the ICO and he left this exploit open for a year because he
didn't know the mature way to handle this.

~~~
legrandkay
You do know that this is the first time a lot of people that do not live in
the UK are hearing of the ICO

