No Strangers To Indecent Exposure, Kardashians End Up Exposing Fans Due To API Vulnerability

You know APIs have hit the big time when even the Kardashians have them.

You can't make this stuff up. The Kardashians who can credit their fame to indecent expsoure, at least in part, have indecently exposed their own fans thanks to some unsecured APIs on their Web sites. So says a news article that was just published over on Apparently, each of the Kardashian girls -- Kim Kardashian, Khloe Kardashian, Kendall Jenner, and Kylie Jenner -- launched their own sites (and accompanying apps) in the last couple of days on some sort of shared infrastructure or code. Well, when you launch multiple sites on a shared infrastructure, you also share any vulnerabilities. This is exactly what happened to the Kardashians who love to share, um, everything!

Putting aside why anyone would actually need an app dedicated to any of the Kardashians, the SoftPedia coverage had this to say:

According to Alaxic Smith, CEO and Co-Founder of Communly, the company behind these new apps and websites --- Whalerock Digital Media --- left their API server unprotected, allowing any tech-savvy user to get details on users registered on the Kardashian / Jenner websites.

OK, so this doesn't look very good on the resume of Whalerock Digital Media. SoftPedia discovered news of the vulnerabilty from a post by Smith that was apparently published, then unpublished, and then republished (We swear, we're not making this up. In fact, do you ever have to make anything up when it comes to the Kardashians?). Currently that post starts with "Earlier, I removed this post from Medium, but I decided to post it again."  

Yes, Alaxic, when it comes to security issues, we at love transparency (and never hold back the punches when we detect a lack of it). Maybe the Kardashians should reward you the same way Google, Facebook and other Internet companies have bounty programs that reward hackers for their vulnerability discoveries. We wouldn't be all too suprised though if the Kardashians' autocorrect and called it a booty program by mistake.

As for the severity of the vulnerabilty, Smith wrote that through the vulnerability, he was able to gain:

"access to the first names, last names, and email addresses of the 663,270 people who signed up for Kylie Jenner’s website. I then noticed that I could do the same API call across each of the websites and return the same exact data. I also had the ability to create/destroy users, photos, videos, and more. It’s clear why this is a major issue, and raises the question: should users trust not only their personal information, but also payment information with these apps?"

The API vulnerabilty has since been eradicated by Whale Rock Media. There's no telling if other similar vulnerabilties remain. Nor can we even vouch for the facts as they were reported. But there's one thing we at ProgrammableWeb keep saying about API security: In the last year or so, we've seen the biggest Internet brands -- Google, Facebook, Apple, Pinterest, etc. (the ones with the most money to pay security experts) --- fall prey to API security vulnerabilities. Now, we can add the Kardashians to that list proving just how hard it can be. API security, that is.

Be sure to read the next Security article: How to Use JSON Web Tokens as API Keys

Original Article

Unprotected API Exposes User Details for the Kardashian Websites