September 27, 2023

Security researchers have uncovered more than 1,500 apps leaking the Algolia API key and application ID, potentially exposing user data. 32 applications were found to have critical administrative secrets hardcoded, with 57 unique admin keys were found.

Algolia API is used to implement searches on websites and in applications. The search API powers billions of queries for thousands of companies every month, among them Stripe, Slack, Medium Corp. and Zendesk

The admin API key can be used to access different pre-defined Algolia API Keys, including search-only API key, monitoring API key, usage API key and analytics API keys.

Advertisements

The access can allow threat actors to read users’ personal information, modify, and delete users’ information, access IP addresses, and view a users’ app users.

The researchers didn’t name the apps instead said that they spanned shopping, education, lifestyle, business, and medical companies.

Developers are advised to remove all exposed keys, generate new ones, and store them securely. Companies exposing data were informed of the issue before the report was released.

The issue persists due to developers are not utilizing straightforward mitigations to counteract the underlying threats. In the case of third-party APIs like Algolia, mobile app developers could simply make use of just-in-time delivery mechanisms to provide the API keys only to genuine app instances and only when required to make API calls.

This research was documented by researchers from CloudSEK.

Tags:

Leave a Reply

You may have missed

BORN Canada latest victim of MoveIT data breach

September 27, 2023

Hardware Supply Chain Risk Assessment from CISA

September 27, 2023

Sony attack – Ransomed.vc claims responsibility

September 26, 2023

Chrome Zeroday – CVE-2023-4863 PoC Exploit Released

September 25, 2023

BlackCat adds Clarion to its Victim list

September 24, 2023

TheCyberThrone Security Week In Review – September 23, 2023

September 24, 2023
%d bloggers like this: