The new Kardashian and Jenner sister websites, which launched Monday, exposed the names and emails of more than half a million subscribers.
Alaxic Smith, a 19-year-old developer, discovered a misconfiguration issue that could be exploited to enable access to a list of user’s names and emails.
Earlier this week the Kardashian/Jenner sisters launched four subscription based apps so that they could share exclusive content to fans willing to pay. With those apps they also rolled out their own websites, one for each of the four sisters participating.
In his original Medium post, which can still be found via a cached Google page, Smith said:
“Just for fun, I decided to un-minify this file to see what kind of data they were collecting from users and other metrics they may be tracking. I saw several calls to an API, which of course made sense. I popped one of those endpoints into my browser, and got an error just liked I expected.”
But then he logged onto Kylie’s website with his own username and password and discovered the endpoint then sent him to a webpage where the first and last names of 663,270 users were listed. He then tried the same thing on all of the sister’s websites and discovered it worked across all sites.
In total, 891,240 users were exposed, according to Smith’s post.
Smith also noted that not only did he have access to users’ names and emails, but he could also destroy any data the user had shared on the site, including photos and videos.
Whalerock Industries, which is the company that built the website, said in a statement to TechCrunch Wednesday that it has fixed the issue and that no payment information was compromised.
“Shortly after launch we were alerted that there was an open Api. It was promptly closed. Our logs indicate that the author of the blog post was able to access only a limited set of names and email addresses. Our logs further indicate no one else had access and that no passwords nor payment data of any kind was exposed. Our highest priority is the security of our customers’ data,” the company said.