Kickstarter security vulnerability exposes projects
A programming error on crowd-funding platform Kickstarter has resulted in outsiders being able to access data relating to unpublished projects. The wrongly disclosed information included the project description, goal, duration, rewards and the name of the user behind the project. Kickstarter has reassured donors that their personal details were not at risk. According to a report in the Wall Street Journal (WSJ), the bug provided access to details of more than 70,000 unlaunched projects. The bug was in the API used by external applications to access the platform.
According to Kickstarter, the bug had been present since a web site relaunch on 24 April and was fixed on 11 May. In a blog posting, the company states that only 48 projects were accessed and that the majority of these were by the computer programmer or WSJ reporter who contacted the company. In a blog posting on the incident, Kickstarter co-founder Yancey Strickler expresses his regret over the incident, "Even though limited information was made accessible through this bug, it is completely unacceptable". Because Kickstarter processes all payments via Amazon Payments, the company's own servers do not store any credit card or similar personal information.
Kickstarter specialises in crowd funding, in which a person or company proposes a project, specifies how much funding they need and invites visitors to participate in realising the idea by pledging money to the project. The money pledged is only taken when the target has been reached. If a project fails to achieve its target funding, it is cancelled with no loss for backers. Participants receive differing rewards for their contributions. For example, for game development, it might be a copy of the finished game, or for hardware projects one of the financed devices. Higher stakes invested mean greater rewards. Kickstarter takes five per cent of the money received.