A teenage app developer has found a backdoor that opens up the names and e-mail addresses of Kylie Jenner fans who just downloaded her new mobile app.
Kim Kardashian West, Khloé Kardashian, Kendall Jenner and Kylie Jenner each launched mobile apps this week with basically the same technical design and functionality. But it was 18-year-old fashionista Kylie Jenner who set the all-time records as her $2.99-per-month app scored over 700,000 downloads in the first three days for the “free peek” 7-day trial.
The paid subscribers to the girls’ sites obtain access to what has been called a VIP social media club, providing access to the sisters’ lifestyles–including diary entries, live video, beauty tutorials, workout tips and more.
The traffic was so heavy that Kylie went on Twitter to apologize that her app was experiencing some technical difficulties because the tsunami of fans trying to sign up was frying the sites’ servers.
But teen Alaxic Smith, co-founder of the Communly site–which follows sub-adult celebrity lifestyles–quickly found a backdoor into the Kylie’s site design that essentially offered an open and almost completely unsecured application program interface (API).
Smith was able to gain access to all user data on each of the Kardashian/Jenner websites and would have been able to gain access to credit card data, except that a majority of the payments related to the sisters’ web offering were transacted by the various Apple, Google and other app stores, instead of via the web.
When Smith used a standard hacker protocol by logging into the site with a user name and password, then using simple navigating techniques to find vulnerabilities, he was able to find a web page that contained the first and last names and email addresses of the 663,270 people who had signed up for the site, according to TechCrunch.com.
In guerilla marketing fashion, Smith outed his hack on the blogging site Medium. He described that when he took a basic look at security on the Kardashian/Jenner sites, the design set up was so amateurish, he immediately found glaring inadequacies that could be easily exploited by hackers. Smith posted:
I’ll admit I downloaded Kylie’s app just to check it out. I also checked out the website, and just like most developers, I decided to take a look around to see what was powering the site. After I started digging a little bit deeper, I found a JavaScript file namedkylie.min.75c4ceae105ad8689f88270895e77cb0_gz.js. Just for fun, I decided to un-minify this file to see what kind of data they were collecting from users and other metrics they may be tracking. I saw several calls to an API, which of course made sense. I popped one of those endpoints into my browser, and got an error just liked I expected.
The Kardashian/Jenner websites were designed and managed by Whalerock Industries, a media/technology company that creates, produces and distributes digital properties to over 70 million people and generates more than a billion page views per month. Whalerock digital brands include Moviefone, Wonderwall.com, Mandatory.com, Mom.me, Tested.com, PurpleClover.com, Tasted and Cinefix.
Whalerock claims on its website that it “integrates the best practices and learnings of the technology and media worlds, building a scalable, innovative digital and production infrastructure to create captivating, next-generation media experiences.”
Smith, in a sign of goodwill to the sisters, reached out to Whalerock before the Medium post hit–and Whalerock quickly made a security patch.
Nobody knows so far if a not-so-nice hacker had already data mined the girls’ websites, which have already had over a million combined downloads.