The Kardashians’ new websites leaked user names and emails

The Kardashians’ new websites leaked user names and emails

By Russell Brandom on September 17, 2015 10:50 am Email @russellbrandom
http://www.theverge.com/2015/9/17/9345289/kardashian-website-data-app-leak

The Kardashians’ latest round of apps are already dominating the app store — but the code supporting them may not be as sturdy as it seems. Yesterday, a developer named Alaxic Smith was exploring the sites connected to the new Kardashian apps and stumbled across an open javascript file, which in turn led him to the site’s API. As it turned out, the API was unsecured, and he was able to pull the full data base of names and emails subscribed to the apps — nearly 900,000 in total. According to Smith’s description, he was also able to alter the data, destroying users, photos, or other content. He also pulled the bulk number of users, reproduced below:

User Stats (as of 09/15/2015 2:27 AM PST)
Kylie Jenner (thekyliejenner.com): 663,270 Users
Kim Kardashian (kimkardashianwest.com): 80,679 Users
Kendall Jenner (kendallj.com): 50,756 Users
Khloe Kardashian (khloewithak.com): 96,635 Users
Total Users: 891,340

This kind of API error is a common security mistake, and crucially, no payment data was compromised in the leak. Still, it’s the kind of data that could be very useful to scammers and identity thieves. According to a statement from Whalerock, Smith was the only one to access the data and the company was able to patch the problem relatively quickly, although Smith’s Medium post was ultimately taken down to prevent wider exploitation of the bug. Still, it’s a reminder to developers not to discount security the next time they’re taking on a high-profile project.

Leave a Reply