Moonpig vulnerability


Decoding the auth header we get *redacted*:*redacted*, that’s not my username or password – these are static credentials sent with every request. The only identifiable piece of information left is the URL parameter customerId.


Every API request is like this, there’s no authentication at all and you can pass in any customer ID to impersonate them. An attacker could easily place orders on other customers accounts, add/retrieve card information, view saved addresses, view orders and much more.

And to say the problem was reported about 17 months ago …

Moonpig vulnerability →

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.