Highlights:

  • According to the researchers, the admin API key can be used to access various pre-defined Algolia API keys, such as search-only API keys, monitoring API keys, usage API keys, and analytics API keys.
  • It is now recommended that developers remove all exposed keys, generate new ones and securely store them.

Researchers in the Security domain have found more than 1,500 apps that have leaked the application ID and Algolia application programming interface key, which could expose crucial user data.

Researchers at CloudSEK Information Security Pte. Ltd. uncovered 57 distinct admin keys in 32 application programs that had essential administrative secrets hardcoded and they revealed this discovery with the Infosecurity Magazine recently.

The API provided by Algolia Inc. is used to implement search on websites and in applications. Every month, the search API powers billions of queries for thousands of businesses, including Stripe Inc., Slack, Medium Corp., and Zendesk Inc. — but only sometimes securely.

According to the researchers, the admin API key can be used to access various pre-defined Algolia API keys, such as search-only API key, monitoring  API key, usage API key and the analytics API keys.

Threat actors may be able to read users’ personal information, modify and delete users’ information, access IP addresses, and view a user’s app users because of this access.

While the researchers did not name the 32 apps that had admin secrets hardcoded, they did say that they were from shopping, education, lifestyle, business and medicine-based companies.

It should be noted that the problem is not with Algolia or similar services but with app developers who misuse API keys.

It is recommended that developers remove all exposed keys, generate new ones and securely store them. Companies with exposed data were notified of the problem before publishing the report.

“This is the latest in a long list of reports which demonstrates how widespread the storage of API keys is in mobile apps,” David Stewart, the CEO of the mobile app security business Approov, spoke to a well-known media organization.

The issue is that developers are not utilizing straightforward mitigations to counteract the underlying threats.

Steward explained, “Specifically, in the case of third-party APIs like Algolia, mobile app developers could simply use just-in-time delivery mechanisms to provide the API keys only to genuine app instances and only when required to make API calls. This would block all attempts to use and abuse via scripts any API keys which have ‘leaked’ from the app.”

According to Chad Glinsky, a backend engineer with the security posture business Horizon3.ai Inc, all users should be aware that API keys are essentially a login and password.

Glinsky added, “If they are leaked, it’s analogous to leaking your username and password … no Bueno! Users should protect their API keys as vigorously as they protect their passwords. Leaking an API key can be more consequential than leaking a username and password login since logins are often protected by two-factor authentication nowadays, whereas API keys are not.”