Kickstarter bug granted access to unlaunched projects

A bug in the private application programming interface (API) of Kickstarter, the popular crowd funding website for creative projects, has exposed details about 70,000 projects that will be launched on the website in the near future.

“For those who are unfamiliar, an API is a software interface that allows software to communicate with one another. It’s not like a webpage that an internet user could point their browser to. It is a feed of data meant to be shared between software. The API in this instance is for Kickstarter’s internal use,” explains Yancey Strickler, one of the site’s cofounders.

The bug was the result of a site upgrade effected on April 24, but was fixed only on May 11, after Kickstarter’s engineers were notified of it by a WSJ reporter who discovered it.

Among the details that were accessible are project descriptions, goals, duration, rewards, videos, images, location, category, and the user name.

Less than 50 unlaunched projects were accessed during the three weeks the bug was present, and that includes views by Kickstarter’s own team of developers.

Strickler made sure to point out that no financial or account information was accessible at any time, but he still described the incident as “unacceptable.”