Thousands of Algolia API Keys Could Expose Users' Data

Written by

Over 1500 apps have been found leaking the Algolia API key & Application ID, potentially exposing user data.

Security researchers at CloudSEK shared the data with Infosecurity before publication, adding that 32 of the above applications were found to have critical Admin secrets hardcoded and that the team had identified 57 unique admin keys so far.

Algolia’s application programming interface (API) enables developers to implement search, discovery and recommendations within websites, mobile and voice applications.

The solution is used by roughly 11,000 companies worldwide, including Stripe, Slack, Medium and Zendesk, to manage a reported 1.5 trillion search queries yearly.

“The admin API key can be used to access different pre-defined Algolia API Keys, including Search-only API key, Monitoring API key, Usage API key, and Analytics API keys,” warned CloudSEK.

This may enable threat actors to read users’ personal information, modify and delete users’ information, access users’ IP addresses and other access details, and view users’ app usage and other analytics.

Of the 32 applications leaking 57 valid unique Admin API keys, the majority were from shopping, education, lifestyle, business and medical companies.

“While this is not a flaw in Algolia or other such services that provide integrations, it is evidence of how API keys are mishandled by app developers. So, it is up to individual companies to address the security concerns associated with payment gateways, AWS services, open firebases, etc.,” CloudSEK explained.

“To prevent this, we advise developers to remove all exposed keys, generate new ones, and store them securely,” Syed Shahrukh Ahmad, co-founder at CloudSEK, told Infosecurity. The executive also confirmed the company notified Algolia and the affected apps about the hardcoded API keys.

The CloudSEK report detailing the new findings will be publicly available at this link from Tuesday, November 22.

The advisory follows an October analysis by John Iwuozor, cybersecurity content writer at Bora Design, suggesting that API attacks have emerged as the number one threat vector in 2022.

What’s hot on Infosecurity Magazine?