Improper implementation of API KEY could be exploited to steal millions of users'​ personal information
Attacks against third party API calls have been on the rise, and many companies are still very vulnerable.

Improper implementation of API KEY could be exploited to steal millions of users' personal information

Swami B. Swami B.

Swami B.

Published Nov 22, 2022
+ Follow

CloudSEK researchers have discovered over 1500 apps leaking Algolia API Key & Application ID using BeVigil application security search engine tool.

Algolia’s API allows developers to build search, discovery and recommendations into websites and mobile apps. Over 11,000 companies use it - including Lacoste, Stripe & Slack — with over 1.5 trillion searches per year.

CloudSEK have also identified 462 apps with critical hardcoded highly sensitive Algolia Admin API keys (the one you will use when setting up your account). In addition, 57 unique Algolia Admin API keys were identified to belong in 32 applications. The researchers found that these apps had hardcoded highly critical secrets—even the admin key itself was not an exception!

These API Keys can be used to access different pre-defined functions such as Search-only API key, Monitoring API key, Usage API key, and Analytics API keys. This will enable threat actors to:

  • Read users’ personal information
  • Modify and delete users’ information
  • Access users’ IP addresses and other access details
  • View users’ app usage and other analytics

Impacts are as follows:

  • Retrieve all index data with the browse endpoint.
  • Retrieve data with the Analytics API.
  • Interact with the Recommendation API.
  • Retrieve data with the Usage API.

Mitigation

  • Revoke the keys.
  • Generate new ones, and store them securely at the backend.
  • If you need to communicate with a sensitive, external API (e.g., collecting data from users), ask the backend team to create an endpoint for that purpose. This endpoint should only be able to receive requests from your app with an authorized user token. This will prevent attackers from getting access to these secrets and make sure that only you can communicate with your backend.

Conclusion

The problem with API keys is that they are hardcoded in the apps, and not stored securely. This means that anyone who has access to your app can find all of the API keys and use them to have complete control over your entire business.

Although this is not a flaw in Algolia or other such services that provide integrations, this is an example of a problem that exists in any application that relies on third-party APIs. The individual companies using such services have to ensure the security of their systems, rather than leave it up to others who are not involved with delivering products or services.

To view or add a comment, sign in

More articles by Swami B.

See all articles

Explore content categories