Moonpig Vulnerability

Started by Jamoe, January 06, 2015, 10:39:29 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

Jamoe

January 06, 2015, 10:39:29 AM
Quote"Every API request is like this: there's no authentication at all and you can pass in any customer ID to impersonate them.
"An attacker could easily place orders on other customers accounts, add or retrieve card information, view saved addresses, view orders and much more."

Original Source - http://www.ifc0nfig.com/moonpig-vulnerability/

http://www.theregister.co.uk/2015/01/06/moonpig_vulnerability/

I've changed/deleted details on my account and requested it get deleted. Even if they fix the issues I won't be using moonpig again.

smilodon

#1
January 06, 2015, 02:15:28 PM
It's like a bank leaving the doors unlocked. Companies like Moonpig should be legally liable for customers losses and I'd even go as afar as to make it a criminal offence...... in fact I think it might already be under the Data Proetcion Act?
smilodon
Whatever's gone wrong it's not my fault.

Tutonic

#2
January 06, 2015, 02:17:34 PM
I would imagine there's a pretty nasty PCI audit on it's way to them right now...
Hero of the Battle Of Chalkeia
"Don\'t worry, none of this blood is mine"


Print
Go Up Pages1
User actions