If you’re a Kim Kardashian superfan, you might be super screwed.
Kardashian’s personal website is full of security holes that put visitors at risk of malware and potential identity theft, the Daily Dot has learned.
In early April, security researcher and university student Jamie Woodruff discovered over a dozen security vulnerabilities in Kardashian’s website, KimKardashian.com. Woodruff says he immediately reported the security flaws to the site’s administrator, which he corroborated in an April 10 email shared with the Daily Dot. He says he also tweeted directly to Kardashian and her media-relations representatives. More than a month later, Woodruff has yet to receive a response.
The vulnerabilities Woodruff discovered not only put the integrity of the site at risk, he warns, but ostensibly the personal information of tens of thousands of fans.
“If the fans use the website, they could be at risk of downloading infected software; or worse, their information could be stolen from the database,” Woodruff said. He notes that the user passwords stored by WordPress are probably easy to decrypt, and that all too often people reuse passwords for more crucial purposes, like securing their bank accounts.
At 22, Woodruff holds security ‘ethical hacking’ certification from the EC Council, a status recognized by U.S. government agencies, including the National Security Agency. “I have always used my talent for good and ethical purposes,” Woodruff said.
In addition to Kardashian’s various social media accounts, KimKardashian.com serves as an archive of personal photos, videos, and messages, all allegedly published by the star herself. Woodruff says he first visited the site last month while trying to confirm rumors that an American arts school planned to give Kardashian’s husband, Kanye West, an honorary doctorate. (The Art Institute of Chicago awarded the musician with a Ph.D. on May 11.)
“I was looking online to see about Kanye’s doctorate, because I felt that he didn’t deserve one—calling himself ‘God,’ etc.,” said Woodruff, a student at Bangor University.
A plugin in Woodruff’s browser revealed that Kardashian’s site was running WordPress, a widely used content management system. After browsing to the site’s publicly accessible ‘readme’ page, he noticed the WordPress version used by KimKardashian.com was over two and half years old.
“I then used a tool, which tested the WordPress version to confirm my suspicions,” Woodruff said.
A security report provided by Woodruff to the Daily Dot detailed 15 security flaws that could be exploited for a variety of attacks. Some were useful for knocking the website offline using a denial-of-service attack. Others could enable an attacker to reset administrator and user passwords without an email request, bypass restricted URLs and folders, or steal login cookies.
Depending on which WordPress plugins are in use, half a dozen other, more serious bugs make it simple for a hacker to create a backdoor into Kardashian’s site, which could then be used to download databases containing user data—or, worse, upload malware that might infect thousands of computers.
“If the website uses shared hosting, then there’s a risk that other websites on the server can also be accessed,” Woodruff said, meaning there’s a chance that users on other websites unaffiliated with Kim Kardashian could also be at risk.
Woodruff detailed the extensive security flaws in an email to the site’s administrator; after 30 days he received no reply, and the site remains vulnerable.
— Jamie Woodruff (@jamie_geek) May 18, 2015
The Web administrator listed for KimKardashian.com did not respond to our request for comment.