Turns out, not a single one of ’em was secure. We repeat: Ashley. Madison.
The discovery was made by software engineer Alaxic Smith, who described his digital break-and-enter on (much more secure) website Medium:
“Just like most developers, I decided to take a look around to see what was powering the site. I started digging a little bit deeper and found a JavaScript file named kylie.min.75c4ceae105ad8689f88270895e77cb0_gz.js.”
“Just for fun, I decided to un-minify this file to see what kind of data they were collecting from users and other metrics they may be tracking. I saw several calls to an API, which of course made sense. I popped one of those endpoints into my browser, and got an error just liked I expected. Then, I logged into the site with my username and password, and was directed to this page:”
“Initially, I thought that this was some a page filled with dummy data, but as I started to look closer, it wasn’t. I now had access to the first names, last name, and email addresses of the 663,270 people who signed up for Kylie Jenner’s website. I then noticed that I could do the same API call across each of the websites and return the same exact data for each site. I also had the ability to create / destroy users, photos, videos, and more.”
DW, this is not Ashley Madison 2.0. Smith has already alerted the team behind the apps (who should probably be taking a long, hard look at their code), and he didn’t steal or publish any user data.
That courtesy, however, doesn’t extend to the Kardashian’s sign-up data. Smith made one other important discovery that day: that Kylie is eight times more popular than Kim:
Kylie Jenner – 663,270 users
Kim Kardashian – 80,679 users
Kendall Jenner – 50,765
Khloe Kardashian – 96,635
Total Users – 891,340
Picture – do we really need to say this? – Keeping Up With The Kardashians.
