Clinkle Gets Hacked Before It Even Launches

[InfoSec News <alerts () infosecnews org>]

http://techcrunch.com/2014/01/30/clinkle-gets-hacked-before-it-even-launches/

By Jordan Crook
@jordanrcrook
TechCrunch
January 30, 2014

Clinkle is the hottest app around to have done mostly nothing. The stealth 
payments service, which has raised $30 million from big-name investors, 
has yet to publicly launch. But that doesn’t mean it can’t be hacked.

Today, a guest user posted a list of 33 usernames, user IDs, profile 
photos, and phone numbers to PasteBin. Based on the data provided, it 
seems as though these users are Clinkle employees who are testing the app.

Founder Lucas Duplan is on the list (yep, that’s his Clinkle profile pic, 
shown above), as well as former Netflix CFO and Clinkle COO Barry 
McCarthy. Former PayPal exec Mike Liberatore, now Clinkle CFO, is also 
listed.

The data was seemingly accessed through a private API that Clinkle has in 
place. Referred to by the hacker as "typeahead", the API appears to be the 
basis of an autocomplete tool, allowing uses to type a single letter (like 
'A') and find all usernames starting with that letter (like 'Adam' and 
'Andrew'). [Note: Twitter has a similar tool with the same name -- it's 
unclear if they're one and the same.]

[...]

--
Subscribe to InfoSec News
http://www.infosecnews.org/subscribe-to-infosec-news/