[clobec]

This is irresponsible disclosure. You should have contacted the information commissioners office. They would have used legal powers to force Moonpig to rectify this. There are very steep penalties for not protecting customer data.

Now that you've publicly disclosed this, opportunists (people one level above script kiddies) will probably grab a data dump and compromise every customer.

Dealing with this via legal channels would have ensured a resolution whilst protecting customer data from any opportunistic bad actor.

Shame on you. I can't wait for myself and my wife to get doxxed now. Thanks.

Also, FYI; the whole card number isn't returned because they are probably tokenising the full card number with their payment gateway.... Or at least, I hope.

DOWNVOTING because you don't agree with me? How rude. I believe I'm a making a valid point, there are legal channels in place to help with this sort of thing.

EDIT. someone people think I do no hold moonpig responsible for this. I do! I am not blaming the security researcher. What I am saying is that some countries (like the one where moonpig is incorporated and operates) have agencies that deal with issues like these. Getting these agencies involved before public disclosure is a much nicer way to deal with these sorts of issues.

I'm aware that this exploit may already have been used but that doesn't mean that we should tell everyone about it until it is resolved. Getting the ICO involved may have resolved this issue a long time ago.

My disclosure - I have a friend that works at the ICO and she tells me that these issues usually take them (on average) 2 months to sort out. COmpanies get very anxious when the ICO contact them.

[dsacco]

That's a pretty heavy handed definition of irresponsible disclosure.

The onus of patching security flaws is on the company, not the security researcher. Responsible disclosure is a courteous and respectful form of helping a company fix their vulnerabilities, but it ceases to be responsible if agreeing to keep a vulnerability private enables the company to swipe it under the rug.

Top security talent at Facebook and Google can patch complicated vulnerabilities in a matter of hours, days or weeks. 17 months, even for the most unsophisticated engineering team, is inane. At that point, you could have spent 17 months rewriting the entire codebase from scratch.

What the discloser did here was perfectly reasonable - 90 days is typically considered the upper limit of time for a company to fix a vulnerability. This is typically the time that a vulnerability will be automatically eligible for public disclosure on, say, Hackerone. 17 months? No way.

Also, downvoting is a valid way to express disagreement, see this comment by Paul Graham: https://news.ycombinator.com/item?id=117171

[clobec]

I still don't see why he had to do this?

He has plenty of time to inform the ICO of this issue. He contacted moonpig then let the sit on this for a year.

If he wants to be a disclosure hero, he could have at least told the ICO at the same time he told moonpig.

The issue is 100% Moonpigs fault but he chose to disclose publicly rather than use the legal route set up to deal with these kinds of issues.

The whole responsible disclosure scene needs a reboot and people need educating on the responsible way to deal with these issues. Public disclosure should be a last resort (within reason). Not even contacting the ICO before doing this is shocking to me.

[eth0izzle]

OP here and I agree with you. The ICO genuinely didn't even cross my mind and in hindsight I probably should of gone via that channel before publicly disclosing. Are there any set procedures to follow for this sort of thing?

[penguat]

Another minor consideration - here in the UK this was posted at 10PM - not exactly a friendly hour. It would have been nice to schedule the post for a time when UK businesses expect to operate. I don't expect they would have thanked you for it in any case, but they would probably have had both a better response time and a better organised response

[Nexxxeh]

They had 17 months, and their Twitter account was still posting at 9pm this evening.

If they gave two shits about our data (and it might include mine, it definitely includes my mum's), or if they were capable of a sensible helpful coherent response, they'd have done it 16.5 months ago.

[Nexxxeh]

In reply to the child post (of my other comment), because I can't do so directly due to nesting limited:

>Have you read any of the above?

>It's clear they didn't care, that's why I'm saying the ICO should have been informed. That would force them to give a shit.

I had, at the time of writing my post, read all the comments on this story. I was commenting specifically on the parent's point about what time of day the story of was posted. I don't disagree with you re: ICO.

However I don't think it's fair to characterize the disclosure as irresponsible. The fault lies with the vendor for not patching. Publicizing guy followed industry standard practices for responsible disclosure. Vendor is just fucking useless.

I'm unhappy, as I'm sure it'll cause an increase in spam and possibly spearphishing to my mum, which I will subsequently have to deal with. Yey. But that's Moonpig's fault.

Edit: And in response to the response to the response...

>Why are you saying the fault lies with the vendor? Do you think nobody knows that? Do you think that's not obvious? Do you think that's what I was commenting about?

Because it does. No, I think everyone knows that, however it was relevant to the rest of the paragraph. I don't think that was what your child post was about, however I didn't want to make ANOTHER post to voice my opinion.

>There's a difference between reading and comprehension.

I read AND UNDERSTOOD the comments, I was of course referring to your rhetorical question implying that I hadn't even read them. Apparently you didn't comprehend that?

[penguat]

yes, quite clear that they didn't give it the priority it warranted (aka giving a shit) - just wanted to point out that there was a friendlier option timing wise. For my money, I'd have seen this disclosed 11 months ago - it's a serious vulnerability to the extent that I'm glad I've never used moonpig.com - but I'd have seen it disclosed in the UK daytime when the company was awake to be able to shut down its API. There's even an argument to be had that waiting as long as this is a little irresponsible - although that's covered to some extent by following up.

I don't know if it's legal to give advance warning of public disclosure - that could easily become a minefield as it might be interpreted as a threat, and linking it to a request to fix could seem coercive.

[clobec]

Have you read any of the above?

It's clear they didn't care, that's why I'm saying the ICO should have been informed. That would force them to give a shit.

[peteretep]

https://ico.org.uk/concerns/handling/

[d23]

You're getting mad at the wrong person here, full stop. This is gross, inexcusable negligence and incompetence. I'm surprised this guy didn't wait more than a few months, given the severity of this problem.

> whilst protecting customer data from any opportunistic bad actor

Riiiight. Do you honestly think something this basic wouldn't be discovered by criminals soon, if not already?

[clobec]

> You're getting mad at the wrong person here, full stop.

No I'm not. I;m not angry. I realise this is the fault of Moonpig

>This is gross, inexcusable negligence and incompetence. I'm surprised this guy didn't wait more than a few months, given the severity of this problem.

I agree

>Riiiight. Do you honestly think something this basic wouldn't be discovered by criminals soon, if not already?

We don't know if anyone has already used this. We don't know if anyone ever knew about his. But now we know everyone knows about it. To be honest, I would not be surprised if someone may have already used this for nefarious purposes but at this point in time there doesn't seem to be a public dump of data for low skilled hackers to continue using for years to come.

I still think this should not have been publicly disclosed in this manner. He did not contact the ICO and he left this exploit open for a year because he didn't know the mature way to handle this.

[legrandkay]

You do know that this is the first time a lot of people that do not live in the UK are hearing of the ICO

[nissehulth]

I would say that the period August 2013 to January 2015 is more than "a few months".

[d23]

My wording was crappy there. I meant I'm surprised he didn't wait just a few months. As in, I'm surprised he didn't get impatient and do this earlier.

[arielm]

While your point is valid I think you're getting doe voted because you're completely forgetting that the probability of someone malicious finding out about this vulnerability and exploring it without disclosing is quite high. Going through legal channels would just mean the api will be live for longer. Lawyers like to take their time.

Instead, the disclosure resulted in the API being shut down within the hour. A much better result IMO.

[clobec]

I don't disagree with you but I still think I have a good point.

He should have gone to the ICO straight away as well as report directly to moonpig then if it wasn't fixed within x amount of time, take next escalation step (which may or may not be public disclosure). Given that it's midnight in the UK now, we're lucky that they acted so quickly (assuming the offline API isn't just scheduled downtime).

Going public had no guarantee that would have taken the API offline. I guess taking risks like that is easy when it's now your own data that's being compromised....

[johngd]

I'll add my two cents a non-Brit: I have never heard of the ICO until this thread. Someone please correct me, but the closest thing we have in the states may be contacting the Attorney General?

I say this thinking of the argument the rest of the world makes when the DMCA threat is used against a non-US entity.

[DanBC]

The ICO is a bureaucrat with responsibility for enforcing the Data Protection Act. There is a small amount of overlap with the Surveillance Commissioner who oversees all surveillance, especially under RIPA (regulation of investigatory powers act).

The ICO is reasonably good - I don't get any (personal) junk telephone calls or junk mail because of our laws about how companies handle my data. (This seems like a trivial example now I've typed it! But it did mark a clear difference between before and after ICO).

https://ico.org.uk/

The website and reporting is much better than it used to be. ("Please download, print, and complete this MS Word document, then post it to this address")

[clobec]

Moonpig is UK based. He could have looked up how to report a data breach in the UK.

Not sure what the DMCA reference is about. I understand that people use DMCS on companies that are not US based therefore it has no power. Still not sure why you mentioned that though.

[johngd]

Yea, you're right; I thought that some context might be needed after I posted.

They aren't related whatsoever, however the thought process of being put into the same position as the security research in this article is what made the connection for me. Assuming that the author wasn't from the UK (he probably is, but bare with me), as someone from the States I would have assumed that having an email exchange with the company was more than enough especially if there a reply on their end.

From my perspective, again knowing nothing about UK law (as much as people in the UK, China, or Fiji may know about US Law), I wouldn't know where to turn after that. Maybe a teaser post, without disclosing everything? If it weren't for the fact that the author stated that he had several two-way conversations with a representative of the company, I would have more sympathy for moonpig.

Speaking of which: How effective is the ICO?

[troels]

The ICO is pretty well known in the UK though. I'm not from the UK and I know about them. (Mostly because of their role in the whole eu-cookie-law farce)

[scott_karana]

The guy who found the vulnerability in 2013 could have simply reported it to authorities at the time. If their turnaround was earlier than 2015, it would have worked out better, yes?

[arielm]

I'm guessing he didn't think the company wouldn't fix such a huge issue...

[scott_karana]

He could have reported this to the Information Commissioner's office in 2013, and then if either the company or the IC failed to do anything, then disclose, at this exact timeline.

Then, at least, the legal system would have also been given a chance to resolve this without full disclosure and potential doxxing.

[tripzilch]

Probably downvoting because the whole (ir)responsible disclosure discussion has been had, for decades, with all arguments from all sides and repeating it here, again, would be just going through the motions.

[Shad0w59]

Agree with clobec, I think this is irresponsible to disclose this so publicly.

There'll be a lot of collateral damage now.