Kickstarter Bug Exposes Private Project Info to Public

On Friday, a Kickstarter engineer discovered a small bug in Kickstarter’s private API.  The bug allowed a user’s private project data to be accessed via the API.  No financial data was compromised, but users with private projects may have had some of their information leaked.  Kickstarter reports that 48 projects were accessed during the weeks where the bug was live, but there’s no telling whether those were authorized by the original project owners or not.

In emerging social networks, and especially in networks like Kickstarter that involve financial transactions, security is critical to users’ willingness to participate.  If a user on Kickstarter is worried that something may go awry with a financial transaction they are far less likely to donate.  That said, there was only minimal information made available by this bug and it’s likely that this will cause any major change in perception of Kickstarter.

The bug was introduced on April 24 as part of the new homepage design, and it was fixed on May 11 at 1:42pm.  The information made available to the public was project description, goal, duration, rewards, video, image, location, category, and user name.  Kickstarter’s research shows that 48 unlaunched projects were accessed, but that includes views by the Wall Street Journal reporter who caught the bug as well as Kickstarter developers themself.

Check out the blog post and the deeper analysis at the Wall Street Journal.