Moonpig, the online personalised card company, has been accused of a shockingly sloppy attitude to security, after apparently leaving a serious hole in its security unpatched. The vulnerability, which was said to have been first reported to Moonpig back in August 2013 (yes, 2013) allows anyone with a modicum of programming knowledge to access the names, dates of birth, email and home addresses of the company’s 3.6 million customers.
All that it takes is to change the Customer ID number sent in an API request. No authentication is required.
Read the full story at welivesecurity