Over 1,500 apps found leaking API keys and potentially exposing user data
Security researchers have uncovered more than 1,500 apps leaking the Algolia application programming interface key and application ID, potentially exposing user data.
Discovered by researchers at CloudSEK Information Security Pte. Ltd. and shared with Infosecurity Magazine today, 32 applications were found to have critical administrative secrets hardcoded, with 57 unique admin keys found so far.
Algolia Inc.’s API is used to implement searches on websites and in applications. The search API powers billions of queries for thousands of companies every month, among them Stripe Inc., Slack, Medium Corp. and Zendesk Inc. — but in this case, only sometimes securely.
The researchers explained that the admin API key can be used to access different pre-defined Algolia API Keys, including search-only API key, monitoring API key, usage API key and analytics API keys. The access can allow threat actors to read users’ personal information, modify and delete users’ information, access IP addresses and view a users’ app users.
While not naming the 32 apps with admin secrets hardcoded, the researchers said that they spanned shopping, education, lifestyle, business and medical companies. It’s noted that the issue does not lie in Algolia or similar services but with app developers mishandling API keys.
Developers are advised to remove all exposed keys, generate new ones and store them securely. Companies exposing data were informed of the issue before the report was released.
“This is the latest in a long list of reports which demonstrates how widespread the storage of API keys is in mobile apps,” David Stewart, chief executive officer of mobile app protection company Approov, told SiliconANGLE.
The issue is said to be that developers are not utilizing straightforward mitigations to counteract the underlying threats. “Specifically, in the case of third-party APIs like Algolia, mobile app developers could simply make use of just-in-time delivery mechanisms to provide the API keys only to genuine app instances and only when required to make API calls,” Steward explained. “This would block all attempts to use and abuse via scripts any API keys which have ‘leaked’ from the app.”
Chad Glinsky, backend engineer at security posture company Horizon3.ai Inc., commented that all users should understand that API keys are effectively a username and password.
“If they are leaked, it’s analogous to leaking your username and password … no bueno!” Glinsky added. “Users should protect their API keys as vigorously as they protect their passwords. Leaking an API key can be more consequential than leaking a username and password login since logins are often protected by two-factor authentication nowadays, whereas API keys are not.”
A message from John Furrier, co-founder of SiliconANGLE:
Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.
We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.