800,000 fans of the Kardashians left exposed after privacy blunder

Kim, Kendall, Khloe and Kylie. Some of the most famous people in the world with first names beginning with “K” launched their subscription-based apps, promising exclusive content from the Kardashian/Jenner clan earlier this week.

19-year-old web developer Alaxic Smith downloaded Kylie Jenner’s app out of curiousity, and investigated her website.

In a blog post, entitled “The Insecurities of the Kardashians: Kim isn’t as Popular as Kylie”, Smith described what happened next:

I decided to take a look around to see what was powering the site. I started digging a little bit deeper and found a JavaScript file named kylie.min.75c4ceae105ad8689f88270895e77cb0_gz.js. Just for fun, I decided to un-minify this file to see what kind of data they were collecting from users and other metrics they may be tracking. I saw several calls to an API, which of course made sense. I popped one of those endpoints into my browser, and got an error just liked I expected.

However, when Smith then logged into the site with his own username and password, a lot more information was spilled out – in fact, he realised he was able to access the names and email addresses of 663,270 of Kylie Jenner’s signed-up fans.

kylie-user-list

Furthermore, through the open, unsecured API, Smith realised he was able to create and destroy users, photos and videos. And this wasn’t just true of Kylie Jenner’s website, but also of Kim Kardashian, Khloe Kardashian and Kendall Jenner. (Bad news girls, although between you you have over 200,000 fans – that’s dragging a long way behind Kylie).

kardashian-stats

Smith says he has reached out to Whalerock Digital Media, the firm behind the Kardashian clan’s apps, and advised them on the problem can be fixed. As media attention rocketed, Smith chose to delete his blog post, although archived copies still exist on the web.

Whalerock Digital Media confirmed that user data had been accessible, telling TechCrunch:

“Shortly after launch we were alerted that there was an open Api. It was promptly closed. Our logs indicate that the author of the blog post was able to access only a limited set of names and email addresses. Our logs further indicate no one else had access and that no passwords nor payment data of any kind was exposed. Our highest priority is the security of our customers’ data.”

It’s clearly a big relief that the payment details of fans of the Kardashian sisters weren’t being held on the Whalerock servers, but it’s easy to imagine how the contact details of almost one million devoted fans of the Kardashians could be exploited by criminals in, say, a spam or phishing campaign.

Remember this – malware, phishing and vulnerabilities aren’t the only potential security issues that could affect your smartphone. Another, often overlooked, threat is the legitimate apps that you install – can you trust that the app’s developers are handling your data securely, and have properly thought through how they are going to keep it out of reach of unauthorised third parties?

In the rush to build apps short cuts are often made, meaning that security and privacy aren’t treated as a priority.

The Kardashians may be happy for every detail of their private lives to be recorded and made available for the general public to gawp at, but that doesn’t mean you would feel so happy with your personal details being visible for anyone to see.

Leave a Reply