API Keys and User data leaked by faulty Apps
Security researchers have uncovered more than 1,500 apps leaking the Algolia API key and application ID, potentially exposing user data. 32 applications were found to have critical administrative secrets hardcoded, with 57 unique admin keys were found.
Algolia API is used to implement searches on websites and in applications. The search API powers billions of queries for thousands of companies every month, among them Stripe, Slack, Medium Corp. and Zendesk
The admin API key can be used to access different pre-defined Algolia API Keys, including search-only API key, monitoring API key, usage API key and analytics API keys.
The access can allow threat actors to read users’ personal information, modify, and delete users’ information, access IP addresses, and view a users’ app users.
The researchers didn’t name the apps instead said that they spanned shopping, education, lifestyle, business, and medical companies.
Developers are advised to remove all exposed keys, generate new ones, and store them securely. Companies exposing data were informed of the issue before the report was released.
The issue persists due to developers are not utilizing straightforward mitigations to counteract the underlying threats. In the case of third-party APIs like Algolia, mobile app developers could simply make use of just-in-time delivery mechanisms to provide the API keys only to genuine app instances and only when required to make API calls.
This research was documented by researchers from CloudSEK.