The Kickstarter Blog

Kickstarter API Bug

On Friday one of our engineers uncovered a bug involving Kickstarter's private API, which is used to display projects on the Kickstarter homepage. This bug allowed some data from unlaunched projects to be made accessible via the API. It was immediately fixed upon discovering the error. No account or financial data of any kind was made accessible. 

For those who are unfamiliar, an API is a software interface that allows software to communicate with one another. It's not like a webpage that an internet user could point their browser to. It is a feed of data meant to be shared between software. The API in this instance is for Kickstarter's internal use.

The bug was introduced when we launched the API in conjunction with our new homepage on April 24, and was live until it was discovered and fixed on Friday, May 11, at 1:42pm. The bug made accessible the project description, goal, duration, rewards, video, image, location, category, and user name for unlaunched projects. No account or financial data was made accessible. 

Based on our research, the overwhelming majority of the private API access was by a computer programmer/Wall Street Journal reporter who contacted us. Outside of that person's use, our research shows that a total of 48 unlaunched projects were accessed during the three weeks this bug was live (this number includes a number of views by Kickstarter's developers working on the API itself).

Obviously our users' data is incredibly important to us. Even though limited information was made accessible through this bug, it is completely unacceptable. We want to underline once again that zero account or financial information was at any time made accessible by this bug.

Comments

    1. Walterportraitavatar250.small

      Creator Walter Jeffries on May 14, 2012

      Not big news but thank you for the disclosure.

      1. Kickstarter fixed it. Good for them.

      2. Nobody was harmed in the making of this error.

      3. Ideas are freely available on Kickstarter. They do make that point. If people can't stand ideas being known then don't Kickstart them.

      We are building a nano-scale on-farm USDA meat processing facility for our farm. We're using Kickstarter to fund it in part (see http://smf.me/ [smf.me] for details - tomorrows the last day May 15th). I'm open sourcing it. Go see my blog and see the floor plan, read about all the neat things we've developed to make it more energy efficient, smaller, lower cost and useful. If you want to do the same thing then more power to you. Share ideas.

      -Walter Jeffries
      Sugar Mountain Farm
      http://sugarmtnfarm.com/

    2. Fb_profile_picture.small

      Creator Arlo Barnes on May 16, 2012

      "Comments promoting a project will be removed."
      Other than that, I agree with you that open-source projects are pretty nice.
      Backlink: http://www.explainxkcd.com/2012/05/14/kickstarter/comment-page-1/#comment-28310

    3. Tomlooksleft.small

      Creator Tom K. on August 3, 2012

      I'm seeing projects like SMBC Theater that would benefit from a OpenID/OAuth API option. They have a site for 'total super awesome best friends', and to get in you must enter a username/password for backers. But it never changes. It also can be spread around. It'd be better if they had a WP plugin they could drop in and I could login through my kickstarter account, which can verify if I was a backer or not.

      In short: Why not expand on this API?

    4. Tomlooksleft.small

      Creator Tom K. on August 3, 2012

      I'm seeing projects like SMBC Theater that would benefit from a OpenID/OAuth API option. They have a site for 'total super awesome best friends', and to get in you must enter a username/password for backers. But it never changes. It also can be spread around. It'd be better if they had a WP plugin they could drop in and I could login through my kickstarter account, which can verify if I was a backer or not.

      In short: Why not expand on this API?

    5. Click_icon_whtprl.small

      Creator Be Good Today Inc. on April 11, 2013

      Appreciate and highly respect the transparency. Thanks. We love how you guys operate.

    6. Click_icon_whtprl.small

      Creator Be Good Today Inc. on April 11, 2013

      When will your public API be available? We donate 50% of our daily ad revenue to kickstarter projects, so we would love to be able to have access via an API to the project creator updates as well as our "My Backer History" data so that we can this data visible to our users (since we are contributing on their behalf).