A young developer, poking around the code of Kylie Jenner‘s new website, was able to access the full names and email addresses of over 600,000 users.
In addition to personal info, Alaxic Smith, 19, was able to create, alter and destroy user photos, videos and more.
Advertisement |
Smith, who exposed the website’s vulnerabilities for the fun of it, says he’s not seeking to release any of the info, rather he’s just giving Kylie a “heads up.”
I’ll admit I downloaded Kylie’s app just to check it out. I also checked out the website, and just like most developers, I decided to take a look around to see what was powering the site. After I started digging a little bit deeper, I found a JavaScript file namedkylie.min.75c4ceae105ad8689f88270895e77cb0_gz.js. Just for fun, I decided to un-minify this file to see what kind of data they were collecting from users and other metrics they may be tracking. I saw several calls to an API, which of course made sense. I popped one of those endpoints into my browser, and got an error just liked I expected. h/t techcrunch
If I were Kylie, I’d be expecting a nice refund from the developers! And if I was a Kylie subscriber, I’d be expecting a nice refund from her!