Quotw This was the week when London-based tacky, personalised card biz Moonpig exposed three million customers' personal records and partial credit card details for almost 18 months, after the security flaw in its system had been reported.
The mega cockup was first spotted by developer Paul Price, who quietly flagged up the glitch to Moonpig. He found that every account and the names, birth dates, email and street addresses could be accessed simply by changing the customer identification number sent in an API request.
As The Register's Darren Pauli explained: "Orders could be placed under any account. Credit card expiry dates and last four digits could be plucked out using a handy insecure API. Script-busting rate limiters were nowhere to be seen making it a cash cow for black hats, vandals, and their bots."
I've seen some half-arsed security measures in my time but this just takes the biscuit. Whoever architected this system needs to be waterboarded.
Every API request is like this: there's no authentication at all and you can pass in any customer ID to impersonate them.
An attacker could easily place orders on other customers accounts, add or retrieve card information, view saved addresses, view orders and much more.
And yet, Moonpig sat on its hands for 18 months.
The company has since released a statement dismissing claims that there was a serious weakness in its security system.
We are aware of the claims made ... regarding the security of customer data within our Apps. We can assure our customers that all password and payment information is and has always been safe. The security of your shopping experience at Moonpig is extremely important to us and we are investigating the details behind today’s report as a priority.
As a precaution, our Apps will be unavailable for a time whilst we conduct these investigations and we will work to resume a normal service as soon as possible. The desktop and mobile websites are unaffected.
Over in the good ol' US of A this week, yanks at banks were facing a different kind of security breach.
Morgan Stanley confessed that the details of up to 10 per cent of its Wealth Management client list (that's 350,000 fat cats, fact fans) had been leaked online, after a rookie allegedly stole financial files from the firm.
Morgan Stanley said:
The data stolen does not include account passwords or social security numbers. The firm is taking the precaution of notifying all potentially affected clients and instituting enhanced security procedures including fraud monitoring on these accounts.
It's understood 30-year-old financial adviser Galen Marsh had been fingered by the bank, which has asked the FBI to step in, having concluded that no cash was stolen and all customers had been made aware of the breach.
However, Marsh "acknowledged that he should not have obtained the account information and has been cooperating with Morgan Stanley to protect the firm and its customers," his lawyer, Robert Gottlieb of Gottlieb & Gordon said.
"Mr Marsh did not sell nor ever intend to sell any account information whatsoever," Gottlieb said. "He did not post the information online. He did not share any account information with anyone nor use it for any financial gain. He is devastated by what has occurred and is extremely sorry for his conduct."
A malefactor posted a teaser of the data online, punting the sale of six million account records and passwords, while demanding payment in the virtual currency Speedcoin.