Researchers discovered 1,550 mobile apps leaking Algolia API keys, risking the exposure of sensitive internal services and stored user information.
Of those apps, 32 expose admin secrets, including 57 unique admin keys, giving attackers a way to access sensitive user information or modify app index records and settings.
Algolia API details
The Algolia API (Application Program Interface) is a proprietary platform for integrating search engines with discovery and recommendation features in websites and applications used by over 11,000 companies.
The system uses five API keys for Admin, Search, Monitoring, Usage, and Analytics.
Of those keys, only the Search is meant to be public and available on front-end code, helping users perform search queries on the apps.
The Monitoring key gives admins a glimpse of their cluster status, Usage and Analytics give usage stats, while the Admin key offers access to the other four API key services, as well as the following:
- Browse/Delete the index
- Add/Delete records
- List indices
- Get/Set index settings
- Get access logs
- Get irretrievable attributes
Abusing the above services can expose data containing user device and network access details, usage statistics, search logs, and manipulation of the associated information.
Exposing app ID and API keys
CloudSEK’s automated scanners found that 1,550 applications are leaking the Algolia API key and application ID, risking unauthorized access to internal information.
“While the admin API key enables threat actors to perform several critical actions and provides access to sensitive data, even with one or more of the other API keys, threat actors can search or view sensitive data,” a CloudSEK analyst told BleepingComputer.
“Also, depending on code changes in future versions of apps, threat actors may be able to access more sensitive data using just these keys.”
The 32 apps that leak Admin API keys are more critical, as they expose their users to data leak risks and the databases to malicious modifications that could incur business damage.
The apps exposing Algolia Admin API keys have approximately 3,250,000, with some apps having over a million downloads each.
The category most prone to exposed keys was shopping apps, collectively downloaded 2.3 million times.
In a list of leaky apps shared with BleepingComputer, other categories include news apps, food and drink, education, fitness, photography, lifestyle, productivity, medical, and business apps, collectively downloaded over 950,000 times.
CloudSEK says they contacted all of the app developers to alert them about the exposure but have not heard back from any of them.