Top Stories
Top Stories

Moonpig’s users’ details at risk from security flaw in app


Personal details, including credit card information, of the mobile customers of greetings card company Moonpig have been exposed to hackers for over a year, a developer has claimed.

A security flaw in the company's app – which lets people design and send custom cards and gifts – enables hackers to intercept personal information sent by users to Moonpig's main servers, according to a blog post by Paul Price, who describes himself as a developer on his website. Cybercriminals could even place a product order through another user's account, he claimed.

Moonpig, which is owned by UK-based Photobox, said customers' information was not at risk, but it had closed down the app and was investigating the claims.

"We can assure our customers that all password and payment information is and has always been safe," the company said in a statement.

'Get right on it'

Price claimed to have told Moonpig about the app's vulnerability on August 18 2013, and the company said it would "get right on it." Price then followed up on September 26, 2014 and Moonpig said the issue would be resolved around Christmas. After nothing was done, Price said he decided to reveal the flaw.

The security loophole was found in the Application Programming Interface (API), which allows Moonpig's mobile apps to communicate with its main servers. The information transferred via the API – such as personal details – was not securely encrypted, according to Price, allowing him to intercept the communication.

Read MoreSony hack reveals celebs' Social Security numbers

The developer's post also showed that a hacker could get the last four digits of a user's credit card, but not the whole card number.

Moonpig's Android app has been taken offline following the report. The desktop and mobile websites were unaffected.

One security expert said it would be hard for a hacker to steal full payment information through the flaw, but warned that personal data could be collected and used for other scams, such as an email phishing attack. This is when an email with a malicious link is sent to a user.

"You can't get a password, you can't change a password and can't get full credit card information," EJ Hilbert, head of cyber investigations at Kroll EMEA and former FBI agent, told CNBC by phone.

"Could you hack into accounts? No. Could you use that information for other scams? Yes."

Related Tags