The Common Vulnerability Behind the Kardashian Sites’ Leak
The Kardashian and Jenner sisters released their own personalized apps last week, promising to share more moments of their lives with fans who pay the $2.99 monthly subscription. But a curious developer discovered they are sharing much more than that: Their apps leaked subscriber information for almost a million people.
Unlike many high-profile data breaches, the Kardashian/Jenner subscriber info wasn’t stolen by a hacker who broke into a database. Rather, the apps relied upon a poorly constructed API to relay data, allowing anyone logged into the fan apps or websites to do everything from retrieve subscriber information to delete photos and videos. The sites were, in effect, broadcasting this private data to anyone who knew where to look.
The breach appears to be the result of hasty developers failing to properly audit code ahead of a big launch. But the situation is a symptom of a larger problem: APIs are difficult to secure, and even the biggest tech companies struggle to control third-party access to their private APIs.
Hacking Into Private APIs Isn’t Hard to Do
After logging into Jenner’s site with his own credentials, Smith found the API returned a list of all her subscribers. The public had access to the full names and email addresses of 891,340 subscribers across the four celebrity-gazing apps until the developers behind the API locked it down. According to TechCrunch, the company behind the apps, Whalerock Industries, says it restricted API access within “a few hours” of Smith publishing his findings. The company also said passwords and credit card information remained hidden.
The most common kind of APIs are public—companies such as Twitter and Facebook release them to provide third-party developers a way of extending their own services and utilizing the big companies’ data. Companies also often build private APIs intended only for internal use to enable their apps to communicate with their primary databases. However, those private APIs often are discovered by outside developers, which can lead to embarrassing consequences.
Private API Hacks Are Bound to Happen, But You Can Prepare
Many tech heavyweights, including Telsa, Airbnb, Uber, and Tinder, have seen private APIs reverse engineered. This usually leads to small headaches, like seeing scores of developers build Tinder bots that automatically “swipe right” on every profile. But sometimes supposedly private APIs expose sensitive user information and data.
Take Snapchat, which has long battled “unlawful” third-party apps that leverage its private API. In the summer of 2013, security researchers warned Snapchat that its API was leaking private user information, including millions of phone numbers, through its “Find Friends” feature. When the company ignored the warnings, a small group of security researchers anonymously published a database of 4.6 million usernames and phone numbers. Initially, Snapchat’s CEO refused to apologize for the breach, claiming “we thought we had done enough.” But mounting bad press prompted the company to back down and require users to verify their phone numbers before using “Find Friends.” This curtailed hackers’ ability to query its system and access user information anonymously—but it took Snapchat nine days.
“It’s pretty much impossible to stop someone from using your API,” says David Kelso, CEO of Beyond Pricing, who has reverse engineered multiple “home-sharing” startup’s APIs to build a dynamic pricing service for AirBNB listings. “By the time someone decides they want to use your API, there’s little you can do to stop it.”
Developers can use numerous tools to sniff out how companies use APIs for their apps and websites. Even when companies use vetted authentication systems, such as OAuth, it’s fairly easy for an engineer to use applications like mitmproxy, which spoof credentials and use man-in-the-middle attacks to intercept API calls—even if they are encrypted.