Moonpig vulnerability


Decoding the auth header we get *redacted*:*redacted*, that’s not my username or password – these are static credentials sent with every request. The only identifiable piece of information left is the URL parameter customerId.


Every API request is like this, there’s no authentication at all and you can pass in any customer ID to impersonate them. An attacker could easily place orders on other customers accounts, add/retrieve card information, view saved addresses, view orders and much more.

And to say the problem was reported about 17 months ago …

Moonpig vulnerability →

Published by Bramus!

Bramus is a frontend web developer from Belgium, working as a Chrome Developer Relations Engineer at Google. From the moment he discovered view-source at the age of 14 (way back in 1997), he fell in love with the web and has been tinkering with it ever since (more …)

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.