Users of Moonpig had their credit card details and personal details exposed to anyone for more than a year, a security expert has claimed.
A flaw in the website’s security settings has meant that anyone could pose as another user of the website, getting access to their credit card details and personal information, as well as being able to make orders from their account, claims Paul Price.
The problem was discovered in August 2013, and the expert who did so said that he told Moonpig about the problem then. Though Paul Price, who discovered the problem, said that Moonpig told him they would “get right on it”, he said that the flaw was still there until this morning.
Moonpig said this morning that it was aware of the claims and denied that customers' information was at risk.
"We can assure our customers that all password and payment information is and has always been safe," a Moonpig spokesperson said. "The security of your shopping experience at Moonpig is extremely important to us and we are investigating the detail behind today’s report as a priority."
The site’s API, an important part of the way that the website works, allows those who knew about the loophole to pretend to be another user. All that is required is to put a request in to Moonpig’s website with a customers’ ID number — the website does not verify those requests.
Paul Price wrote: “I've seen some half-arsed security messures in my time but this just takes the biscuit.
“Whoever architected this system needs to be waterboarded.”
Price said that he had made the company aware of the problem in August 2013. He said that a follow-up email in September told him that the problem would be resolved “after Christmas”.
Price said that given the lack of response by Moonpig, he chose to make the flaw public to “force Moonpig to fix the issue and protect the privacy of their customers”.
Moonpig has taken the app offline.
"As a precaution, our Apps will be unavailable for a time whilst we conduct these investigations and we will work to resume a normal service as soon as possible," the company said.
Join our commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies