Funky Pigeon - account take over

If you have an account with FunkyPigeon.com then you should be extremely concerned. It is possible for an attacker to gain access to your account which can contain your address details, recent orders, any uploaded photos, your contacts (and their addresses) and your reminders – all of this information can be changed, as well as your password, e-mail address and “security” question. An attacker could use your account balance to order a card in your name.

This has been fixed, see below

I won’t disclose how this as done as I’ll give them a chance to fix it first. Below you can see we have found Nina Greaves' account who was the "SEO & Internet Marketing Specialist" at FunkyPigeon.com (this information is publicly available):

"user": {
  "account_balance": 0.01,
  "address_id": null,
  "auth_token": "",
  "avatar": "",
  "email": "[email protected]",
  "first_name": "Nina",
  "has_facebook": false,
  "last_name": "Greaves",
  "tel": "",
  "title": "Miss",
  "user_id": 5
 }

At this point an attacker could issue an update command to change Nina’s e-mail address and then request a password reset to gain access to her account. If Nina had any balance in her account an order could be placed in her name.

How can I prevent this?

The answer to this is unfortunately don't have a FunkyPigeon account. If you already have one then there’s nothing you can do – you’ll just have to wait until they fix it. I have e-mailed Split Ink Studio (who own FunkyPigeon) and raised an issue with them so hopefully it should be fixed pretty soon. Fortunately (some-what) it’s not so trivial to attack a particular user. For example you can’t gain access to an account via an e-mail address, you have to know the users id beforehand. Although as user ids are incremental it would be pretty easy for an attacker to compose a database of all FunkyPigeon accounts and search upon this.

The fix

The API supports an “auth_token” which is presumably some sort of session variable for that user. It is returned when you issue a login command, however it is always blank and isn’t required for subsequent requests.

They seem to have around 1.7 million accounts on the database so a lot of people should be worried. And rightly so. I’ll keep this post updated on any official statement from them.

Update: Funky Pigeon have responded and basically said they will fix it ASAP, although they haven’t given any specific time frames. You would of thought it would be at the top of their priorities. As of 28/07/2013 it still works.

Update 2: This has now been fixed and Funky Pigeon have implemented the use of the auth_token field.