Moonpig, which sells customised greetings cards and other items via UK, US and Australian sites, has a significant security flaw that could expose customer details and partial credit card information. It was reported by Paul Price in August 2013 but remained unfixed. The security hole means names, birth dates, email and street addresses can be accessed by changing the customer identification number sent in an API request. It also allows orders to be placed under any account and could allow access to the last four digits of credit cards and expiry dates. The lack of any limit on API requests meant…
This story continues at The Next Web