The Kardashians are often called “over-exposed,” but a flaw in recently launched websites for the celebrity family offered exposure of an entirely different kind: the names and email addresses of more than half a million users. A 19-year-old developer, Alaxic Smith, poked around in the code and found that he could access the information of users who signed up for Kylie Jenner’s website, and could pull similar user data from the other websites. He also said that the flaw would allow an attacker to create and destroy user profiles, and access and delete photos, videos and more. “I’ll admit I downloaded Kylie’s app just to check it out,” he wrote on his blog site. “I also checked out the website, and just like most developers, I decided to take a look around to see what was powering the site. After I started digging a little bit deeper, I found a JavaScript file. Just for fun, I decided to un-minify this file to see what kind of data they were collecting from users and other metrics they may be tracking. I saw several calls to an API, which of course made sense. I popped one of those endpoints into my browser, and got an error just liked I expected.”
View full story