Whether you want to admit it or not you’ve most likely heard of the Kardashian/Jenner family. You may know the Kardashian name from the OJ Simpson trial back in 1995, or their recent fame from their reality television show on the E! network. It’s getting harder and harder to not keep up with them (believe us, we’ve tried).
As part of their latest effort to better engage with fans, the Kardashian/Jenner clan launched four individual websites and apps to give fans a bigger insight into their day-to-day lives (like we really needed to hear more about them). When Kylie Jenner’s website launched, an immediate glitch was detected within the foundation – full names and email addresses of over 600,000 users who subscribed were made visible. Through poor lack of judgment they inadvertently exposed thousands of people to security vulnerabilities.
While the Kardashian folks aren’t new to indecent exposure I’m sure their fans weren’t too thrilled about being exposed. You may be asking yourself: how could this happen? Well, the simple answer to this question is poor implementation and management of the websites’ and apps’ underlying technologies.
A recent article from TechCrunch reported that developer Alaxic Smith was the first to find the significant flaw within the websites. After doing some investigative digging he noticed a glitch allowing him to access what was virtually an open, unsecure API – giving him access to the entire site’s user base. Not only was he able to access this information, he was also able to create and delete any and all users, photos and videos.
Luckily for the Kardashian/Jenner clan, Smith immediately notified Whalerock Industries (the company behind the website/mobile app) to fix the configuration. Whalerock instantly took action and fixed the unsecure API. It’s still under investigation as to whether there are additional vulnerabilities within the code, but we doubt they’ll be making that mistake again.
API security remains a big topic in today’s app-centric world, and for a good reason. If the Kardashians have taught us anything, it’s that API vulnerability is not something to overlook the next time you’re building a website or mobile app.