UPDATED 19:32 EDT / NOVEMBER 21 2022

SECURITY

Over 1,500 apps found leaking API keys and potentially exposing user data

Security researchers have uncovered more than 1,500 apps leaking the Algolia application programming interface key and application ID, potentially exposing user data.

Discovered by researchers at CloudSEK Information Security Pte. Ltd. and shared with Infosecurity Magazine today, 32 applications were found to have critical administrative secrets hardcoded, with 57 unique admin keys found so far.

Algolia Inc.’s API is used to implement searches on websites and in applications. The search API powers billions of queries for thousands of companies every month, among them Stripe Inc., Slack, Medium Corp. and Zendesk Inc. — but in this case, only sometimes securely.

The researchers explained that the admin API key can be used to access different pre-defined Algolia API Keys, including search-only API key, monitoring API key, usage API key and analytics API keys. The access can allow threat actors to read users’ personal information, modify and delete users’ information, access IP addresses and view a users’ app users.

While not naming the 32 apps with admin secrets hardcoded, the researchers said that they spanned shopping, education, lifestyle, business and medical companies. It’s noted that the issue does not lie in Algolia or similar services but with app developers mishandling API keys.

Developers are advised to remove all exposed keys, generate new ones and store them securely. Companies exposing data were informed of the issue before the report was released.

“This is the latest in a long list of reports which demonstrates how widespread the storage of API keys is in mobile apps,” David Stewart, chief executive officer of mobile app protection company Approov, told SiliconANGLE.

The issue is said to be that developers are not utilizing straightforward mitigations to counteract the underlying threats. “Specifically, in the case of third-party APIs like Algolia, mobile app developers could simply make use of just-in-time delivery mechanisms to provide the API keys only to genuine app instances and only when required to make API calls,” Steward explained. “This would block all attempts to use and abuse via scripts any API keys which have ‘leaked’ from the app.”

Chad Glinsky, backend engineer at security posture company Horizon3.ai Inc., commented that all users should understand that API keys are effectively a username and password.

“If they are leaked, it’s analogous to leaking your username and password … no bueno!” Glinsky added. “Users should protect their API keys as vigorously as they protect their passwords. Leaking an API key can be more consequential than leaking a username and password login since logins are often protected by two-factor authentication nowadays, whereas API keys are not.”

Image: Pixabay

A message from John Furrier, co-founder of SiliconANGLE:

Support our open free content by sharing and engaging with our content and community.

Join theCUBE Alumni Trust Network

Where Technology Leaders Connect, Share Intelligence & Create Opportunities

11.4k+  
CUBE Alumni Network
C-level and Technical
Domain Experts
15M+ 
theCUBE
Viewers
Connect with 11,413+ industry leaders from our network of tech and business leaders forming a unique trusted network effect.

SiliconANGLE Media is a recognized leader in digital media innovation serving innovative audiences and brands, bringing together cutting-edge technology, influential content, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — such as those established in Silicon Valley and the New York Stock Exchange (NYSE) — SiliconANGLE Media operates at the intersection of media, technology, and AI. .

Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a powerful ecosystem of industry-leading digital media brands, with a reach of 15+ million elite tech professionals. The company’s new, proprietary theCUBE AI Video cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.