Security Vulnerability In New Kardashian Websites Coughs Up User Info For 600K Subscribers

Image courtesy of (TheKylieJenner.com)

If you’re not up to date on all your reality TV star news, perhaps you aren’t aware that the Kardashian/Jenner sisters recently launched new mobile apps and redesigned websites to stay even more connected with their adoring hordes than before. But while the family’s popularity has seen hundreds of thousands of people signing up for those sites, a new report says the personal information for many of those subscribers was available — albeit briefly — to anyone with the know-how to get it.

TechCrunch cites a blog post by a 19-year-old developer on Medium (which has now been taken down) detailing how he was able to access the full names and email addresses of more than 600,000 users who signed up for Kylie Jenner’s website, as well as get similar user data from the other sisters’ sites. It doesn’t appear that any payment information was vulnerable, however.

He also claimed he could create and destroy users’ accounts, photos, videos and other content, though it seems he didn’t actually try to do so.

He stumbled upon a misconfiguration in the site after he’d become curious about what was powering the sites, admitting that he’d downloaded Kylie’s app “just to check it out,” and then started digging around on the websites.

He found an open, unsecured API, that allowed him to view a web page with the first and last names and email addresses of the 663,270 people who had signed up for the site, he said in the now-deleted blog post, and then repeated the trick on the other sisters’ sites.

All of this raises questions about the security of users’ personal information, something we’re all too familiar with at a time when it seems a new data breach is revealed every day.

The company behind the sites and apps, Whalerock Industries, confirmed to TechCrunch that user data was briefly available, but the issue was addressed quickly:

“Shortly after launch we were alerted that there was an open Api. It was promptly closed. Our logs indicate that the author of the blog post was able to access only a limited set of names and email addresses. Our logs further indicate no one else had access and that no passwords nor payment data of any kind was exposed. Our highest priority is the security of our customers’ data.”

TechCrunch notes that most of the payments tied to the sisters’ new tech ventures go through the app stores and not on the websites, and that Whalerock is using a third-party e-commerce provider to deal with online payments. That would mean no payment information is hosted on Whalerock’s servers, likely, keeping it safe despite this kind of security issue.

Kardashian Website Security Issue Exposes Names, Emails Of Over Half A Million Subscribers, Payment Info Safe [TechCrunch]

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.