The mobile app for greetings card website Moonpig has been disabled following a claim that a security bug exposed personal details of millions of customers.
A developer took to his blog to explain how a security bug in the website’s settings meant that anyone could pretend to be a different user, gaining access to credit card details and personal information, and being able to order from that account.
Developer Paul Price said he spotted the vulnerability more than a year ago and alerted Moonpig. He explained that the glitch was still in place, despite the company saying it would “get right on it”.
“We can assure our customers that all password and payment information is and has always been safe,” Moonpig said in a statement on its website.
“As a precaution, our Apps will be unavailable for a time while we conduct these investigations and we will work to resume a normal service as soon as possible.”
According to Price the flaw is in the application programming interface (API) and claims that rather than sending information protected by individual account details, the API sent every request protected by the same credentials, irrespective of which user was signed in.
The desktop and mobile website services were unaffected.