The Kardashians are often called “over-exposed,” but a flaw in recently launched websites for the celebrity family offered exposure of an entirely different kind: the names and email addresses of more than half a million users.
A 19-year-old developer, Alaxic Smith, poked around in the code and found that he could access the information of users who signed up for Kylie Jenner’s website, and could pull similar user data from the other websites. He also said that the flaw would allow an attacker to create and destroy user profiles, and access and delete photos, videos and more.
“I’ll admit I downloaded Kylie’s app just to check it out,” he wrote on his blog site. “I also checked out the website, and just like most developers, I decided to take a look around to see what was powering the site. After I started digging a little bit deeper, I found a JavaScript file. Just for fun, I decided to un-minify this file to see what kind of data they were collecting from users and other metrics they may be tracking. I saw several calls to an API, which of course made sense. I popped one of those endpoints into my browser, and got an error just liked I expected.”
But he then logged into the website with his own user name and password and was able to gain access to a web page that contained the first and last names and email addresses of the 663,270 people who had signed up for the site, he says. And, he found that he could use the same API call across each of the other sisters’ websites.
Suni Munshani, CEO of Protegrity, a data security platform and solutions provider, told Infosecurity via email that "every CEO should wish it was a Kardashian” but that, unlike CEOs, the sisters are exhibiting basic security bad practice by using an unsecured API.
“The impressive money-making machine that is the Kardashian empire, credited to their business savvy managerial styles, has the kind of growth and popularity most CEOs dream of,” he noted. “Their ‘exclusive’ photos rake in the top dollar, their apps see hundreds of thousands of downloads in the first few days and people are actively trying to find security flaws in their websites and apps. Their success results in a lot of collected data, and with big data, comes big responsibility. In the future, data security will be important for keeping critical business issues under wraps and to help the empire continue to grow."
The company that built the site, Whalerock, confirmed that the API is now closed and that there’s no indication of nefarious access.