Kickstarter recently experienced a security bug that made information from 70,00 unpublished projects accessible through the API connected to their homepage. The problem? Kickstarter’s new homepage didn’t play nice with the API. From Kickstarter’s blog:
The bug was introduced when we launched the API in conjunction with our new homepage on April 24, and was live until it was discovered and fixed on Friday, May 11, at 1:42pm. The bug made accessible the project description, goal, duration, rewards, video, image, location, category, and user name for unlaunched projects. No account or financial data was made accessible.
Luckily, the majority of the breached information was accessed by a Wall Street Journal reporter who notified Kickstarter about the issue. While information from 70,000 projects was accessible, only 48 projects were accessed by people other than the reporter.
Now I don’t know Kickstarter’s testing practices, and maybe this was just one of those things that unfortunately slipped through the cracks, but it seems like a prime example of the need for regression testing. When you’re introducing a new element to your site, or software or app it’s extremely important to make sure it doesn’t break any existing components – especially security related aspects. Kickstarter’s lucky personal or financial data wasn’t leaked, but that may not be the case next time. So let this be a lesson on why regression testing is so important!