HQ/EMEAFind out how we can help your business
Thousands of applications were spotted leaking Algolia API keys and applications with hardcoded admin confidentialities that hackers could utilise to steal millions of users’ data.
Algolia is a proprietary search engine service with APIs that companies can use and incorporate into the functionalities of their apps, such as search, recommendations, and discoveries. Over 11,000 organisations worldwide have utilised the Algolia API keys, including Slack, Zendesk, and Lacoste.
About 1,550 apps have leaked Algolia API keys, with 32 containing hardcoded admin secrets that could provide malicious actors access to pre-defined APIs.
The 32 applications containing hardcoded admin confidentialities had over 2.5 million user downloads, implying that millions of Algolia user data could potentially be exposed to cyberattacks. If a threat actor finds these flaws, they could read exposed user information, such as access details, analytics data, and IP addresses. Attackers could also delete these data if they desired.
Researchers note that the discovered issue is not a flaw in Algolia or any similar integration solution platforms. However, the issue signifies how application developers could mishandle API keys that could expose them to cyberattacks.
In this case, the companies involved are responsible for addressing the security concerns linked to their payment gateways, open firebases, or AWS services.
Furthermore, experts state that the Algolia API requires that the keys and application IDs be passed through two headers to use services, including search, retrieve logs and API data, browse index, add or delete records, and list, read, or update indexes.
Once an unauthorised entity gains access to the leaked API keys, they could be allowed to navigate these features and read critical information they are not supposed to be accessing.
Experts recommend that affected organisations revoke the leaked Algolia API keys and generate new ones with a more secure setup. Additionally, organisations must ensure that authenticated endpoints are used to communicate with critical and external APIs to avoid an unwanted data breach.
Algolia and the affected companies had been duly contacted to inform them about the issue.
