The Kardashian and Jenner sisters released new websites and apps this week. And the user data has already leaked!
The sisters released their products at the same time and did it with little fanfare, negligible marketing, and amassed nearly 900,000 users within 24-hours. Kylie was the most popular sister with 74% of new users downloading her app or visiting her website. In fact Kylie got 824% more users than sister Kim Kardashian.
But, wait, HOW do we know the exact user numbers and who had the most popular app? Because a 19-year-old app developer discovered a security flaw that revealed user information.
Alaxic Smith found the the first names, last names, and email addresses of 891,340 people. Through a loophole in the API. Alaxic also found he could make changes to the websites including deleting user-generated information.
Alaxic wrote in the blog post what happened:
I now had access to the first names, last name, and email addresses of the 663,270 people who signed up for Kylie Jenner’s website.
I then noticed that I could do the same API call across each of the websites and return the same exact data for each site.
I also had the ability to create / destroy users, photos, videos, and more.
It’s clear why this is a major issue, and raises the question: should users trust not only their personal information but also payment information with these apps?
The company that built the apps Whalerock Digital Media responded by forcing Alaxic to remove the post, stopped him from talking to the media, and claimed Alaxic was the only person to find this info. They say people’s data including credit card info (used to pay for subscriptions) is safe.