Heimdal
Home > Cybersecurity News

Apps with Over 3 Million Downloads Leak Algolia API Keys

Sensitive Information, at Risk of Being Exposed.

Last updated on November 22, 2022

article featured image

Contents:

Researchers found 1,550 mobile apps that were leaking Algolia API credentials, putting private internal services and user data at risk. Of those apps, 32 reveal admin secrets, including 57 different admin keys, providing attackers access to private user data or the ability to change app index records and settings.

What Is Algolia API?

Over 11,000 businesses use the Algolia API, a unique framework for combining search engines with discovery and recommendation elements in websites and applications. The system uses five API keys for Admin, Search, Analytics, Monitoring, and Usage, out of which only the Search key is meant to be public and available on the front-end code.

Usage and Analytics provide usage statistics, the Monitoring key allows administrators a quick glance at the status of their cluster, and the Admin key grants access to all four API key services as well as the following:

  • Add/Delete records
  • Browse/Delete the index
  • List indices
  • Get/Set index settings
  • Get access logs
  • Get irretrievable attributes

By abusing the services listed above, threat actors can expose data containing user device and network access details, usage statistics, search logs, and other information.

Details on the Campaign

Security researchers found 1,550 apps leaking the Algolia API key and application ID. According to BleepingComputer, the 32 apps that expose Admin API credentials pose a greater danger to users’ privacy and expose databases to fraudulent changes that could harm businesses.

Collectively, the apps have over 3 million downloads, with some apps having over a million downloads each. The category which is most prone to exposed keys is shopping apps, with 2.3 million downloads collectively. Other app categories include news apps, food and drink, fitness, education, lifestyle, photography, medical, and business apps.

As per BleepingComputer, the developers of the apps have been informed about the leakage risk, but they’re still waiting for an answer.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.

Author Profile

Cristian Neagu

CONTENT EDITOR

linkedin icon

Cristian is a Content Editor & Creator at Heimdal®, where he developed a deep understanding of the digital threat landscape. His style resonates with both technical and non-technical readers, proof being in his skill of communicating cybersecurity norms effectively, in an easy-to-understand manner.

Related Articles

Worok Hackers Abuse Dropbox API to Leak Data via Backdoor Hidden in ImagesFour Google Play Apps With Over 1 Million Installs Are Deploying MalwareFive Play Store Droppers Target 200 Banking and Cryptocurrency Wallets AppsWhat Is Data Leakage?

Leave a Reply

Your email address will not be published. Required fields are marked *

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE
linkedin
youtube
facebook
x

resources

company

newsletter

© 2024 Heimdal®

Vat No. 35802495, Vester Farimagsgade 1, 2 Sal, 1606 København V