Being famous for being famous isn’t easy. In tandem with the release of apps that let fans trade money for exclusive content, the Kardashian-Jenner sisters launched new websites this week. However, they left the personal data of some 891,340 users right out in the open. Oops.
So it seems the Kardashians and the Jenners need a little help with their cyber security prowess. Just a few hours after the apps and websites went live, 19-year-old developer Alaxic Smith was poking around the code to see what kind of data they were collecting. (He built his own celebrity-focused social media app, Communly, and was just curious how his competition worked.) It didn’t take long for him to realise that the app developers had left their API wide open. Smith wrote on Medium:
I now had access to the first names, last name, and email addresses of the 663,270 people who signed up for Kylie Jenner’s website. I then noticed that I could do the same API call across each of the websites and return the same exact data for each site. I also had the ability to create / destroy users, photos, videos, and more. It’s clear why this is a major issue, and raises the question: should users trust not only their personal information but also payment information with these apps?
The same technique worked on the websites for Kim Kardashian, Khloe Kardashian, and Kendall Jenner — all of which had far fewer users than young Kylie’s app.
Here’s the good news, if you happened to be one of those users: Whalerock Digital Media, the company that built the apps, says your payment is safe and the hole’s been patched. In fact, they were bungled enough by the headline-grabbing discovery that they forced Smith to take down his Medium post and forbid him from talking to the media. (You can read a cached version of the post here.)
There’s no Kardashian-induced cybercelebpocalypse right around the corner. Exposing users’ names and email addresses is spammy at worst. However, it’s never good when massively popular apps or websites leave data out in the open. Sure, it’s not as bad as when the government leaves its employees confidential information vulnerable. But it’s not cool.
[Medium via TechCrunch]
Image via Getty