

Kickstarter 'Bug' Exposed Projects  - danso
http://online.wsj.com/article_email/SB10001424052702304371504577402531319165366-lMyQjAxMTAyMDEwMzExNDMyWj.html

======
mirceagoia
I've discovered a bug, I think) too last days. I was logged into my account
wandering around, then I responded to somebody on my Gmail (somebody who had a
project on Kickstarter)...then I went back to my account and I saw I am logged
in now as the person I've just responded to!

I took screenshots of her account, I logged out and logged back into my
account. I sent an email to Kickstarter but I had no response from them. I
still have the screenshots.

~~~
mparlane
That makes no sense [to me]. I can't work out any plausible or implausible
reason that would happen when you used gmail. How would your cookies change to
your friends? Has she used your PC before?

------
jizzard
Kickstarter projects had a 46% success rate in 2011. But this figure only
includes projects they approved to be listed on the site. I have always
wondered what percentage they reject. With 70,000 private projects what can we
conclude about the real success rate?

Source: <http://www.kickstarter.com/blog/2011-the-stats>

------
drewwwwww
I expect him to be federally indicted ASAP, a la the Goatse Security 'hack'
against AT&T's publicly accessible DB of iPad device IDs.

------
abcd_f
> _The company said it didn't yet know if many people beyond a Wall Street
> Journal reporter saw the nonpublic information, but believes the exposure
> was limited._

Don't they have logs?

~~~
danso
I'm assuming this blogpost came after or roughly at the same time the WSJ said
it would publish:

<http://www.kickstarter.com/blog/kickstarter-api-bug>

>>Based on our research, the overwhelming majority of the private API access
was by a computer programmer/Wall Street Journal reporter who contacted us.
Outside of that person's use, our research shows that a total of 48 unlaunched
projects were accessed during the three weeks this bug was live (this number
includes a number of views by Kickstarter's developers working on the API
itself).

------
mattmanser
_The company said it didn't yet know if many people beyond a Wall Street
Journal reporter saw the nonpublic information, but believes the exposure was
limited.

Kickstarter said it patched the security hole on Friday afternoon, after The
Wall Street Journal began analyzing the exposed data._

Does that sound to anyone else like the WSJ just openly admitted to
deliberately hacking Kickstarter?

~~~
danso
The reporter (who is a dev) can speak for himself, but based on comments so
far, it looks like he was just incrementing IDs:

<https://twitter.com/#!/jsvine/status/202068880724729857>

This is something that based on a few precedents, probably wouldn't be
considered hacking. This includes the Democrat operative who uncovered a
meant-to-be-private audio recording belonging to Gov. Arnold Schwarzenegger by
going to the governor's public file server and moving up the directory tree:

<http://articles.latimes.com/2006/sep/13/local/me-audio13>

(disclosure: I'm friendly with the OP in the small world of devs)

*edit: obviously the AT&T ID case would be precedent too. But it seems the WSJ made prior notification before publication.

~~~
tptacek
I am not sure why you think incrementing IDs "isn't considered hacking".
Obviously, there's no concept of "hacking" under the law, but to qualify as
unauthorized access to a computer system, the only thing a prosecutor will
need to prove is that a reasonable person would have known that manipulating
raw URLs (or POST parameters or whatnot) to view other documents contravened
the intended use of the system.

There is absolutely no provision whatsoever under the law that scales the
severity of unauthorized access with the difficulty of the technical
countermeasure you circumvent. Unauthorized access is unauthorized access.
There could be _no_ security countermeasure in place whatsoever and you could
still run afoul of this.

~~~
fragsworth
I really doubt modifying a GET URL would be considered criminal in any court.
It's far too easily accessible to everyone. It's _two physical actions_ , a
click and a keypress.

~~~
tptacek
I'm pretty sure you're wrong. Ease has absolutely nothing to do with the
statute. If a reasonable person could be expected to know that the pages they
were accessing were unauthorized (or more precisely if a prosecutor or
plaintiff's counsel could make a convincing argument), that's the ball game.

This is a _very_ common misconception among tech people about how the CFAA
works.

~~~
mparlane
To be honest, if I changed an ID on a URL, I expect it to say "not found" or
"not authorised" if I am not allowed to see it. If it doesn't say such things,
than I can expect that it is ok to view.

That is what I have come to expect of such web pages.

~~~
tptacek
Good luck.

~~~
mparlane
So if I made a website called <http://thisisstep1.com/>

And it said "Coming soon."

And someone found out they can goto <http://thisisstep2.com/>.

Should I be able to say "But.. you aren't meant to go there!" ? At what point
does your legal boundary lie for what is considered a public webpage and what
is considered "not authorised."

~~~
statictype
What matters is intent. Did you intend to go there with the purpose of
violating some agreement? Or did you stumble there by accident. I think that
makes a difference.

------
subpixel
I know it's just a detail, but when the WSJ doesn't know what borough
Kickstarter is in (not Brooklyn, as the story reports), it casts some doubt on
the other facts in the story.

~~~
donohoe
Um, how so? Kickstarter doesn't dispute the facts and has in fact responded?

