Kickstarter API Bug
Share this post
On Friday one of our engineers uncovered a bug involving Kickstarter's private API, which is used to display projects on the Kickstarter homepage. This bug allowed some data from unlaunched projects to be made accessible via the API. It was immediately fixed upon discovering the error. No account or financial data of any kind was made accessible.
For those who are unfamiliar, an API is a software interface that allows software to communicate with one another. It's not like a webpage that an internet user could point their browser to. It is a feed of data meant to be shared between software. The API in this instance is for Kickstarter's internal use.
The bug was introduced when we launched the API in conjunction with our new homepage on April 24, and was live until it was discovered and fixed on Friday, May 11, at 1:42pm. The bug made accessible the project description, goal, duration, rewards, video, image, location, category, and user name for unlaunched projects. No account or financial data was made accessible.
Based on our research, the overwhelming majority of the private API access was by a computer programmer/Wall Street Journal reporter who contacted us. Outside of that person's use, our research shows that a total of 48 unlaunched projects were accessed during the three weeks this bug was live (this number includes a number of views by Kickstarter's developers working on the API itself).
Obviously our users' data is incredibly important to us. Even though limited information was made accessible through this bug, it is completely unacceptable. We want to underline once again that zero account or financial information was at any time made accessible by this bug.