In conjunction with the release of their new apps, which allow fans to subscribe to exclusive content from the celebrities for a nominal monthly fee, the Kardashian-Jenner sisters have decided to each launch their own new websites this week. Of course, signing up as an early adopter of just about anything, there’s always the risk of something bad happening as a result.
In the case of the new Kardashian sites, you were opening a window to your personal data. But you’re not alone. In fact, the names and email addresses of about 891,340 users were exposed due to a flaw in the code which left the API open for everyone to see. This was discovered only a few hours after the apps and websites launched, with 19-year-old Web developer Alaxic Smith discovering the hole.
As the creator of his own community-driven, celebrity-focused app, Communly, Smith decided to start meddling in the sisters’ code to compare the data they were collecting to his own. Little did he know, the personal information of all their registrants would be so easily accessible, an amateur hacker’s dream come to life.
“I now had access to the first names, last name, and email addresses of the 663,270 people who signed up for Kylie Jenner’s website,” Smith wrote in a Medium post. “I then noticed that I could do the same API call across each of the websites and return the same exact data for each site. I also had the ability to create/destroy users, photos, videos, and more. It’s clear why this is a major issue, and raises the question: Should users trust not only their personal information but also payment information with these apps?”
Fortunately, Smith reached out to Whalerock Digital Media, the company behind the sites and apps who initially made him take the Medium post down while cautioning against speaking with the media about the security oversight. After that, the media agency assured Tech Crunch that the problem has been fixed and that any payments made prior to the patch have been secured.