- T-Mobile Claims Salt Typhoon Did Not Access Customer Data
- Best Black Friday deals 2024: 165+ sales live now featuring some of the lowest prices ever
- Orange acuerda con OpenAI el acceso a sus modelos de IA antes de su lanzamiento
- Flipper Zero goes retro with this cool limited-edition version (and it's back for Black Friday)
- 칼럼 | AI는 만능 대체재가 아니다··· 사이버보안이 피해야 할 'AI 단순화'
Thousands of Algolia API Keys Could Expose Users’ Data
Over 1500 apps have been found leaking the Algolia API key & Application ID, potentially exposing user data.
Security researchers at CloudSEK shared the data with Infosecurity before publication, adding that 32 of the above applications were found to have critical Admin secrets hardcoded and that the team had identified 57 unique admin keys so far.
Algolia’s application programming interface (API) enables developers to implement search, discovery and recommendations within websites, mobile and voice applications.
The solution is used by roughly 11,000 companies worldwide, including Stripe, Slack, Medium and Zendesk, to manage a reported 1.5 trillion search queries yearly.
“The admin API key can be used to access different pre-defined Algolia API Keys, including Search-only API key, Monitoring API key, Usage API key, and Analytics API keys,” warned CloudSEK.
This may enable threat actors to read users’ personal information, modify and delete users’ information, access users’ IP addresses and other access details, and view users’ app usage and other analytics.
Of the 32 applications leaking 57 valid unique Admin API keys, the majority were from shopping, education, lifestyle, business and medical companies.
“While this is not a flaw in Algolia or other such services that provide integrations, it is evidence of how API keys are mishandled by app developers. So, it is up to individual companies to address the security concerns associated with payment gateways, AWS services, open firebases, etc.,” CloudSEK explained.
“To prevent this, we advise developers to remove all exposed keys, generate new ones, and store them securely,” Syed Shahrukh Ahmad, co-founder at CloudSEK, told Infosecurity. The executive also confirmed the company notified Algolia and the affected apps about the hardcoded API keys.
The CloudSEK report detailing the new findings will be publicly available at this link from Tuesday, November 22.
The advisory follows an October analysis by John Iwuozor, cybersecurity content writer at Bora Design, suggesting that API attacks have emerged as the number one threat vector in 2022.
