Quote"Every API request is like this: there's no authentication at all and you can pass in any customer ID to impersonate them.
"An attacker could easily place orders on other customers accounts, add or retrieve card information, view saved addresses, view orders and much more."
Original Source - http://www.ifc0nfig.com/moonpig-vulnerability/
http://www.theregister.co.uk/2015/01/06/moonpig_vulnerability/
I've changed/deleted details on my account and requested it get deleted. Even if they fix the issues I won't be using moonpig again.
It's like a bank leaving the doors unlocked. Companies like Moonpig should be legally liable for customers losses and I'd even go as afar as to make it a criminal offence...... in fact I think it might already be under the Data Proetcion Act?
I would imagine there's a pretty nasty PCI audit on it's way to them right now...