Kardashian Websites Expose 600,000 Email Addresses Via Massive Security Bug — Is Your Private Information Safe?

Kardashian has become a name synonymous with fame and privilege, but it could soon become synonymous with massive data breaches, TechCrunch reports.

The celebrity sisters recently launched apps and websites meant to give their fans more “access” to their lives. The Kardashian apps and websites also offer extra perks to paid subscribers. They basically allow you to “keep up” with the Kardashians via centrally curated online spaces. The apps have been dominating the app store, and have garnered thousands of downloads each during their first week. But, as one developer realized, the Kardashian websites have a major security flaw, and it exposes over half a million user email addresses.

According to TechCrunch, developer Alaxic Smith, 19, examined the websites’ code and discovered a huge security flaw. Due to a coding misconfiguration, he was able to pull over half a million user email addresses from Kylie Jenner’s website and do the same thing with the other websites, too. Smith also said that he was able to delete user photos, videos, and more.

Using the blogging platform Medium, Smith explained how he first realized that the Kardashian websites had a major security flaw, stating that the whole exercise started off as idle curiosity.

“I’ll admit I downloaded Kylie’s app just to check it out. I also checked out the website, and just like most developers, I decided to take a look around to see what was powering the site. After I started digging a little bit deeper, I found a JavaScript file named kylie.min.75c4ceae105ad8689f88270895e77cb0_gz.js. Just for fun, I decided to un-minify this file to see what kind of data they were collecting from users and other metrics they may be tracking. I saw several calls to an API, which of course made sense. I popped one of those endpoints into my browser, and got an error just liked I expected.”

Alaxic eventually realised that the Kardashian websites were linked to an unsecured API, which meant that user information was vulnerable.

“Should users trust not only their personal information, but also payment information with these apps?” Smith asked in his Medium post.

It’s a good question, especially since these online security breaches have become all too common recently. In July, 2015, a hacker group, called the Impact Team, illegally pulled user information from Ashley Madison, a website set up to facilitate extra-marital affairs. The group released 25 gigabytes of personal Ashley Madison user information. A couple of famous people got exposed for having Ashley Madison accounts, including fundamentalist Christian Josh Duggar. In an investigative report, Gizmodo also discovered that only 1 percent of the Ashley Madison female accounts belonged to actual women, further damaging the website’s credibility.

In this Kardashian case, the developer in question was not able to see users’ payment info, but it still exposes a massive oversight on the part of the app creators, Whalerock Industries. According to Gossip Cop, a spokesperson for Whaerlock released the following statement.

“Shortly after launch we were alerted that there was an open API. It was promptly closed. Our logs indicate that the author of the blog post was able to access only a limited set of names and email addresses. Our logs further indicate no one else had access and that no passwords nor payment data of any kind was exposed. Our highest priority is the security of our customers’ data.”

Their new websites obviously boost the Kardashian net-worth, but users now have to question whether “Keeping Up With The Kardashians” is worth risking their private information.

[Photo by Dimitrios Kambouris / Getty Images]