22 November 2022

Over 1,000 mobile apps leak Algolia API keys


Over 1,000 mobile apps leak Algolia API keys

Researchers at Singapore-based cybersecurity firm CloudSEK have found 1,550 mobile applications leaking the Algolia API key & Application ID, potentially exposing sensitive user data.

Algolia’s API lets developers quickly implement search within websites and mobile apps. The solution is currently used by over 11,000 companies to manage over a trillion search queries a year.

Out of 1,550 apps 32 were found to have critical Admin secrets hardcoded, and so far 57 unique admin keys have been identified. The list of leaky apps includes shopping apps, news, food and drink, education, entertainment, health and style, medical and business apps, with over 3 million collective downloads.

The admin API key can be used to access different pre-defined Algolia API keys including search-only API key, monitoring API key, usage API key, and analytics API keys. This access could be used by threat actors to read, modify and delete users’ information; access users’ IP addresses, or view app usage and other analytics.

“While this is not a flaw in Algolia or other such services that provide integrations, it is evidence of how API keys are mishandled by app developers. So, it is up to individual companies to address the security concerns associated with payment gateways, AWS services, open firebases, etc.,” the researchers said.

CloudSEK said it notified Algolia and the affected apps about the hardcoded API keys.

Back to the list

Latest Posts

Cyber Security Week in Review: December 8, 2023

Cyber Security Week in Review: December 8, 2023

The world in brief: FSB hackers doxxed, Russian hackers exploit a critical Outlook bug, and more.
8 December 2023
The UK accuses FSB-linked Star Blizzard hacker group of political interference in the UK and globally

The UK accuses FSB-linked Star Blizzard hacker group of political interference in the UK and globally

The UK authorities sanctioned two members of the group.
7 December 2023
Malicious Lockdown Mode attack tricks users into thinking their iPhone is secure

Malicious Lockdown Mode attack tricks users into thinking their iPhone is secure

The tampering technique only works on devices that have already been compromised.
7 December 2023