Ironically the flaw was brought to Moonpigs notice almost 18 moths ago by developerPaul Price.
They can be accessed by changing the customer identification number sent in an API request.
Further anybody can place orders through the accounts accessed.
And anybody can see or obtain last four digits of credit card numbers and expiry dates using insecure API.
These records can than be used to make fraudulent purchases online.
…I hit my test users a few hundred times in quick succession and I was not rate limited.
Founded by Nick Jenkins, Moonpig was his nickname at school, hence the name of the brand.
In July 2011, Moonpig was bought byPhotoBoxand it is operated by them.
It’s ok everyone!
andy piper (pipes) (@andypiper)January 6, 2015
Read More
source: www.techworm.net
