Journalist Hacks Kickstarter

A reporter for The Wall Street Journal appears to have hacked a popular crowdfunding website last week, exposing a security gap created during a software update. The reporter, Jeremy Singer-Vine, was able to access a massive amount of private information before Kickstarter hurriedly fixed the problem on Friday 12 May.

Kickstarter is a place for artists and gadget-makers to present their projects to the public and ask for monetary backing in exchange for rewards. It could be a $1 pledge to a documentary with satisfaction as the reward, or a $200 pledge to back the next iPad accessory in exchange for the new toy.

Singer-Vine and the Journal downloaded almost 77 000 unpublished projects.

According to Kickstarter, one of its engineers found the so-called bug. Not the case, says the Journal. Singer-Vine, who is a computer programmer as well as a reporter, didn’t say what he was doing snooping around Kickstarter’s innards. But it appears that he discovered the problem, then he told Kickstarter about it—maybe so they could fix it, maybe so he could get a quote (which, by the way, he didn't).

Kickstarter had updated its website with some new features and a new software interface on 24 April, in honor of its third birthday. The updated software included a back-end way to look at projects that weren’t ready for consumption. That private information wasn’t readily accessible from the site, but outsiders, such as the Journal’s reporter, apparently were able to access the site's internal data feed for about three weeks.

Users of the site never provide credit card information to Kickstarter itself—it uses Amazon for payments—so no financial information was divulgled. But the reporter was able to access project photos, videos, locations, descriptions, fundraising goals, planned rewards for project backers, and user names.

An invasion of privacy in a creative space may be less of a concern than a financial incursion or a medical records breach, but the fact that no one at the company was aware of the security hole for three weeks is disconcerting. Still, very few people actually exploited the breach, Kickstarter says. Only 48 projects were looked at, including those accessed by programmers to fix the bug. Except, of course, for the thousands of projects accessed by the reporter.

Updating a website is often necessary for rapidly growing start-ups. Kickstarter is prime example. In 2011, users pledged almost $100 million to over 27 000 projects. In the last month, users pledged over $10 million to just one project: Pebble, the fabled smartphone-enabled watch. But, clearly, mistakes can be made during an upgrade.

 

Keep an eye out for our June video on Kickstarter crowdfunded Apple accessories.

Advertisement

Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Contributor
Willie D. Jones
 
Advertisement