Researchers found 1,550 mobile apps that were leaking Algolia API credentials, putting private internal services and user data at risk. Of those apps, 32 reveal admin secrets, including 57 different admin keys, providing attackers access to private user data or the ability to change app index records and settings.

What Is Algolia API?

Over 11,000 businesses use the Algolia API, a unique framework for combining search engines with discovery and recommendation elements in websites and applications. The system uses five API keys for Admin, Search, Analytics, Monitoring, and Usage, out of which only the Search key is meant to be public and available on the front-end code.

Usage and Analytics provide usage statistics, the Monitoring key allows administrators a quick glance at the status of their cluster, and the Admin key grants access to all four API key services as well as the following:

  • Add/Delete records
  • Browse/Delete the index
  • List indices
  • Get/Set index settings
  • Get access logs
  • Get irretrievable attributes

By abusing the services listed above, threat actors can expose data containing user device and network access details, usage statistics, search logs, and other information.

Details on the Campaign

Security researchers found 1,550 apps leaking the Algolia API key and application ID. According to BleepingComputer, the 32 apps that expose Admin API credentials pose a greater danger to users’ privacy and expose databases to fraudulent changes that could harm businesses.

Collectively, the apps have over 3 million downloads, with some apps having over a million downloads each. The category which is most prone to exposed keys is shopping apps, with 2.3 million downloads collectively. Other app categories include news apps, food and drink, fitness, education, lifestyle, photography, medical, and business apps.

As per BleepingComputer, the developers of the apps have been informed about the leakage risk, but they’re still waiting for an answer.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.

Worok Hackers Abuse Dropbox API to Leak Data via Backdoor Hidden in Images

Four Google Play Apps With Over 1 Million Installs Are Deploying Malware

Five Play Store Droppers Target 200 Banking and Cryptocurrency Wallets Apps

What Is Data Leakage?

Leave a Reply

Your email address will not be published. Required fields are marked *