Greeting card maker Moonpig has shut down its API and mobile apps in response to an alleged security vulnerability in its API. Paul Price, a third-party developer who used the company’s API, reported that the API would allow developers to obtain personal information for Moonpig’s customers. “There’s no authentication at all and you can pass in any customer ID to impersonate them,” Price explained in his blog. He said that he originally told the company about the problem 17 months ago but the firm did not take any action until he went public with the information.
Experts say the incident shows the potential security risks related to APIs, which are used widely throughout the mobile development industry. “Unlike with traditional web applications, much of what goes on beneath the glossy facade of an app is hidden from the user—but with the right tools and the right knowledge, it can be trivial to identify and exploit any vulnerabilities that might affect it,” said Paul Mutton, a security researcher at Netcraft.
Moonpig had more than 10 million users as of February 2014.