What Expert Says On Algolia API Keys Leaked

By   ISBuzz Team
Writer , Information Security Buzz | Nov 23, 2022 06:58 am PST

CloudSEK has revealed that Algolia’s API keys have been leaked, putting millions of users data at risk.

Algolia’s API is used by companies to incorporate search, discovery, and recommendations into their voice, mobile, and website applications. It is currently used by over 11,000 companies, including Lacoste, Stripe, Slack, Medium, and Zendesk to manage ~1.5 trillion search queries a year. CloudSEK’s BeVigil, the first security search engine for mobile apps in the world has identified 1550 apps that leaked Algolia API Keys. Out of which, 32 apps, with millions of downloads, have hardcoded keys that can be exploited by threat actors to steal the data of millions of users.

Notify of
1 Expert Comment
Oldest Most Voted
Inline Feedbacks
View all comments
Jason Kent
Jason Kent , Hacker in Residence
November 23, 2022 2:59 pm

To set the context of how the API keys are being used in this security incident: Algolia provides API keys to third-party app developers who use them to integrate Algolia functionality into their apps. API keys are akin to the keys to your house – they provide access to anything in the app (or your home). The leaked Algolia API keys not only put user data at risk, they enable a bad actor to delete data, make unauthorised changes and so on. 

It’s important to note that there’s nothing inherently wrong with Algolia’s APIs. Rather, this highlights a major problem with API security which is that the API keys are only ever as secure as the processes used to manage them. If app developers do not follow secure coding and key management best practices or if the company stores them in an insecure manner, then those API keys can become exposed. It’s imperative, therefore, that security is in place to ensure secure development of APIs and that the systems used to manage them are also locked down.

Unfortunately, much of the security used to police API solutions such as WAFs and API Gateways only looks for malicious activity such as signature-based attacks or scaled attacks that bombard the system. What’s likely to have happened here is that an attacker will have probed an application, analysed how the API works, discovered the keys and simply walked away, without raising any alerts. This reveals the importance of behaviour-based monitoring which can help to spot suspicious activity.

Last edited 1 year ago by Jason Kent

Recent Posts

Would love your thoughts, please comment.x