Journalist Hacks Kickstarter

Website update leaves a gaping hole in Kickstarter's security

2 min read
Journalist Hacks Kickstarter

A reporter for The Wall Street Journal appears to have hacked a popular crowdfunding website last week, exposing a security gap created during a software update. The reporter, Jeremy Singer-Vine, was able to access a massive amount of private information before Kickstarter hurriedly fixed the problem on Friday 12 May.

Kickstarter is a place for artists and gadget-makers to present their projects to the public and ask for monetary backing in exchange for rewards. It could be a $1 pledge to a documentary with satisfaction as the reward, or a $200 pledge to back the next iPad accessory in exchange for the new toy.

Singer-Vine and the Journal downloaded almost 77 000 unpublished projects.

According to Kickstarter, one of its engineers found the so-called bug. Not the case, says the Journal. Singer-Vine, who is a computer programmer as well as a reporter, didn’t say what he was doing snooping around Kickstarter’s innards. But it appears that he discovered the problem, then he told Kickstarter about it—maybe so they could fix it, maybe so he could get a quote (which, by the way, he didn't).

Kickstarter had updated its website with some new features and a new software interface on 24 April, in honor of its third birthday. The updated software included a back-end way to look at projects that weren’t ready for consumption. That private information wasn’t readily accessible from the site, but outsiders, such as the Journal’s reporter, apparently were able to access the site's internal data feed for about three weeks.

Users of the site never provide credit card information to Kickstarter itself—it uses Amazon for payments—so no financial information was divulgled. But the reporter was able to access project photos, videos, locations, descriptions, fundraising goals, planned rewards for project backers, and user names.

An invasion of privacy in a creative space may be less of a concern than a financial incursion or a medical records breach, but the fact that no one at the company was aware of the security hole for three weeks is disconcerting. Still, very few people actually exploited the breach, Kickstarter says. Only 48 projects were looked at, including those accessed by programmers to fix the bug. Except, of course, for the thousands of projects accessed by the reporter.

Updating a website is often necessary for rapidly growing start-ups. Kickstarter is prime example. In 2011, users pledged almost $100 million to over 27 000 projects. In the last month, users pledged over $10 million to just one project: Pebble, the fabled smartphone-enabled watch. But, clearly, mistakes can be made during an upgrade.


Keep an eye out for our June video on Kickstarter crowdfunded Apple accessories.

The Conversation (0)

Why the Internet Needs the InterPlanetary File System

Peer-to-peer file sharing would make the Internet far more efficient

12 min read
An illustration of a series
Carl De Torres

When the COVID-19 pandemic erupted in early 2020, the world made an unprecedented shift to remote work. As a precaution, some Internet providers scaled back service levels temporarily, although that probably wasn’t necessary for countries in Asia, Europe, and North America, which were generally able to cope with the surge in demand caused by people teleworking (and binge-watching Netflix). That’s because most of their networks were overprovisioned, with more capacity than they usually need. But in countries without the same level of investment in network infrastructure, the picture was less rosy: Internet service providers (ISPs) in South Africa and Venezuela, for instance, reported significant strain.

But is overprovisioning the only way to ensure resilience? We don’t think so. To understand the alternative approach we’re championing, though, you first need to recall how the Internet works.

Keep Reading ↓Show less