Jump to content
  • Apps with over 3 million installs leak 'Admin' search API keys

    alf9872000

    • 339 views
    • 3 minutes
     Share


    • 339 views
    • 3 minutes

    Researchers discovered 1,550 mobile apps leaking Algolia API keys, risking the exposure of sensitive internal services and stored user information.

     

    Of those apps, 32 expose admin secrets, including 57 unique admin keys, giving attackers a way to access sensitive user information or modify app index records and settings.

     

    The discovery of this exposure comes from Singapore-based cybersecurity firm CloudSEK, who shared their findings exclusively with BleepingComputer.

    Algolia API details

    The Algolia API (Application Program Interface) is a proprietary platform for integrating search engines with discovery and recommendation features in websites and applications used by over 11,000 companies.

     

    The system uses five API keys for Admin, Search, Monitoring, Usage, and Analytics.

     

    Of those keys, only the Search is meant to be public and available on front-end code, helping users perform search queries on the apps.

     

    The Monitoring key gives admins a glimpse of their cluster status, Usage and Analytics give usage stats, while the Admin key offers access to the other four API key services, as well as the following:

    • Browse/Delete the index
    • Add/Delete records
    • List indices
    • Get/Set index settings
    • Get access logs
    • Get irretrievable attributes

     

    Abusing the above services can expose data containing user device and network access details, usage statistics, search logs, and manipulation of the associated information.

    Exposing app ID and API keys

    CloudSEK’s automated scanners found that 1,550 applications are leaking the Algolia API key and application ID, risking unauthorized access to internal information.

     

    "While the admin API key enables threat actors to perform several critical actions and provides access to sensitive data, even with one or more of the other API keys, threat actors can search or view sensitive data," a CloudSEK analyst told BleepingComputer.

     

    "Also, depending on code changes in future versions of apps, threat actors may be able to access more sensitive data using just these keys."

     

    The 32 apps that leak Admin API keys are more critical, as they expose their users to data leak risks and the databases to malicious modifications that could incur business damage.

     

    The apps exposing Algolia Admin API keys have approximately 3,250,000, with some apps having over a million downloads each.

     

    api-diagram.png

    API keys leak (CloudSEK)

     

    The category most prone to exposed keys was shopping apps, collectively downloaded 2.3 million times.

     

    In a list of leaky apps shared with BleepingComputer, other categories include news apps, food and drink, education, fitness, photography, lifestyle, productivity, medical, and business apps, collectively downloaded over 950,000 times.

     

    CloudSEK says they contacted all of the app developers to alert them about the exposure but have not heard back from any of them.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...