Chevron icon It indicates an expandable section or menu, or sometimes previous / next navigation options. HOMEPAGE

The new Kardashian and Jenner websites exposed more than 800,000 users' personal data

GettyImages 488191072
Getty Images

The new Kardashian and Jenner sister websites, which launched Monday, exposed the names and emails of more than half a million subscribers.

Advertisement

Alaxic Smith, a 19-year-old developer, discovered a misconfiguration issue that could be exploited to enable access to a list of user’s names and emails.

Earlier this week the Kardashian/Jenner sisters launched four subscription based apps so that they could share exclusive content to fans willing to pay. With those apps they also rolled out their own websites, one for each of the four sisters participating.

In a Medium post that was recently removed, Smith said that he was looking around the Kylie Jenner’s new site when he discovered a Javascript file that he began to tinker with.

In his original Medium post, which can still be found via a cached Google page, Smith said:

Advertisement

“Just for fun, I decided to un-minify this file to see what kind of data they were collecting from users and other metrics they may be tracking. I saw several calls to an API, which of course made sense. I popped one of those endpoints into my browser, and got an error just liked I expected.”

But then he logged onto Kylie’s website with his own username and password and discovered the endpoint then sent him to a webpage where the first and last names of 663,270 users were listed. He then tried the same thing on all of the sister’s websites and discovered it worked across all sites.

In total, 891,240 users were exposed, according to Smith's post. 

Smith also noted that not only did he have access to users' names and emails, but he could also destroy any data the user had shared on the site, including photos and videos.

Advertisement

Whalerock Industries, which is the company that built the website, said in a statement to TechCrunch Wednesday that it has fixed the issue and that no payment information was compromised.

“Shortly after launch we were alerted that there was an open Api. It was promptly closed. Our logs indicate that the author of the blog post was able to access only a limited set of names and email addresses. Our logs further indicate no one else had access and that no passwords nor payment data of any kind was exposed. Our highest priority is the security of our customers’ data,” the company said.

Security
Advertisement
Close icon Two crossed lines that form an 'X'. It indicates a way to close an interaction, or dismiss a notification.

Jump to

  1. Main content
  2. Search
  3. Account