Kickstarter API bug leaks projects’ drafts

From the Kickstarter blog, they announced that a bug has existed in the site’s API since the new homepage went live April 24th. The API is used to display projects on the homepage and the bug could allow unlaunched projects to be accessible through the API. This bug and API was unrelated to account or financial data.

Based on our research, the overwhelming majority of the private API access was by a computer programmer/Wall Street Journal reporter who contacted us. Outside of that person’s use, our research shows that a total of 48 unlaunched projects were accessed during the three weeks this bug was live (this number includes a number of views by Kickstarter’s developers working on the API itself).

No account or financial information was disclosed through this bug but it could be possible that projects in the draft stage could be seen and upstaged or foiled through other means.

The WSJ wrote an article about the bug and explained they were able to access nearly 77,000 projects and drafts.

The Journal was able to download nearly 77,000 of Kickstarter’s most recent projects and drafts, dating back to mid-March, before Kickstarter plugged the security hole around 1:40pm Eastern on Friday.

When told about the lapse, Kickstarter users whose draft projects were affected didn’t seem particularly troubled. Sam Billen, a teacher and musician in Lawrence, Kan., had set a goal of $5,000 to help fund his first full-length album in three years. “I’d expect things like [the breach] to happen as they’re growing,” Mr. Billen said. “It’s probably a one-time thing. But I think there are possibly some bigger projects out there where it might have been a bigger issue.”



Categories : Security
Posted by Jason Hamilton | May 15, 2012  |  No Comment

Leave a Comment