The CloudSek researchers told about the leak of API-key aid. API Algolia uses approximately 11,000 companies to implement search and recommendations on websites and in mobile applications.
Algolia uses Admin, Search, Monitoring, Usage and Analytics APIs. Of these keys, only Search is designed to interact with the user and is available in the external interface code, helping to perform search queries in applications.
The rest of the keys can only be accessed using the Admin key, which also provides an additional set of capabilities:
View/Deleting the index;
Add/removal of records;
Obtaining a list of indices;
Obtaining/installing index settings;
Obtaining access logs.
And if the administrator’s API key enters the attacker’s hands, he will be able to use it to access information about the user’s connection, use statistics and search history. In addition, the hacker will have the opportunity to modify the databases of the application.
During the CloudSek study, it was possible to detect that 1,550 applications are drained by the ALGOLIA APIs and ID applications, which creates the risk of unauthorized access to confidential information. And what is the worst – problems arise when leaking any of the keys, and not just the administrator key that gives the hackers more opportunities.
Of all the found applications in 32, the admin key leaks, which exposes more than three million users of the risk of data leakage. Most of the keys are drained for online purchases, which have more than 2.3 million downloads in total. CloudSek reports that she has already contacted all the developers of the applications and warned them about the leakage of the API key, but did not receive an answer from any of them.