Thousands of Algolia API keys could expose user data

Over 1,500 apps have been discovered leaking Algolia API key and App ID, potentially exposing user data.

Security Researchers at CloudSEK shared data with Infosecurity before publication, adding that 32 of the above apps had hard-coded critical admin secrets and that the team had identified 57 unique admin keys so far.

AlgoliaThe application programming interface (API) of allows developers to implement search, discovery and recommendations in websites, mobile and voice applications.

The solution is used by approximately 11,000 companies worldwide, including Stripe, Slack, Medium and Zendesk, to handle 1.5 trillion search queries per year.

“The Admin API Key can be used to access various predefined Algolia API Keys, including the Search-Only API Key, Monitoring API Key, Usage API Key, and Analytics API Keys,” CloudSEK warned. .

This may allow threat actors to read users’ personal information, modify and delete user information, access user IP addresses and other access details, and view usage user applications and other analytics.

Of the 32 apps that leaked 57 valid unique admin API keys, the majority were from shopping, education, lifestyle, business, and medical companies.

“While this is not a flaw of Algolia or other such services that provide integrations, it does prove that API keys are mishandled by app developers. It is therefore up to the individual businesses to address security issues associated with payment gateways, AWS services, open databases, and more,” explained CloudSEK.

“To avoid this, we advise developers to delete all exposed keys, generate new ones, and store them securely,” said Syed Shahrukh Ahmad, co-founder of CloudSEK. Infosecurity. The executive also confirmed that the company informed Algolia and affected apps of the hard-coded API keys.

The CloudSEK report detailing the new findings will be publicly available at this link from Tuesday 22 November.

The advisory follows an October analysis by John Iwuozor, cybersecurity content writer at Bora Design, suggesting that API attacks have emerged as the number one threat vector in 2022.