As we understand it, the reported vulnerability has not so far been used to steal personal information of Moonpig customers. However, it seems that the vulnerability, if confirmed, would allow an attacker to access the account details of other customers. Moonpig is telling its customers that all password and payment information is secure () but has made its mobile apps unavailable while it conducts further investigation.
It’s important that companies take information about a vulnerability in their products very seriously. After discovering a bug, researchers typically try to contact the company first and give them time to fix the issue before going public with their findings. If this vulnerability is confirmed, and it’s true that Moonpig has previously failed to take any action to protect their customers for almost a year and a half, this is alarming – especially for a provider of an online shopping application used to transmit highly sensitive data. In recent years, a number of companies have been willing to publicly acknowledge such issues and take steps to remedy the situation and offer advice to customers.
Clearly there are two aspects to any online transaction. We all have a responsibility to secure ourselves by only using secure web sites, legitimate apps and complex passwords to ensure that if one account is compromised it doesn’t put all our other online accounts in jeopardy. However, providers also have a responsibility to ensure secure communication between the customers and their own systems.
David Emm is Principal Security Researcher at Kaspersky, a provider of security and threat management solutions.
David joined Kaspersky in 2004. He is a member of the company's Global Research & Analysis Team (GReAT) and has worked in the anti-malware industry since 1990 in a variety of roles, including that of Senior Technology Consultant at Dr Solomon's Software, and Systems Engineer and Product Manager at McAfee.
In his current role, David regularly delivers presentations on malware and other IT security threats at exhibitions and events, highlighting what organisations and consumers can do to stay safe online. He also provides comment to broadcast and print media on the ever-changing cyber-security and threat landscape. David has a strong interest in malware, ID theft and the human aspects of security, and is a knowledgeable advisor on all aspects of online security.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.