"Over 1,500 Apps Found Leaking API Keys and Potentially Exposing User Data"

More than 1,500 apps have been discovered to be leaking the Algolia Application Programming Interface (API) key and application ID, potentially exposing user data. Researchers at CloudSEK discovered 32 applications with hard-coded critical admin secrets, with 57 unique admin keys discovered so far. The Algolia API is used to implement search functionality on websites and in applications. Every month, the search API powers billions of queries for thousands of companies, including Stripe, Slack, Medium, and Zendesk. The admin API key, according to the researchers, can be used to access various pre-defined Algolia API keys, such as the search-only API key, monitoring API key, usage API key, and analytics API key. Threat actors may be able to read users' personal information, modify and delete information, access IP addresses, and view a user's app with this access. Although the researchers did not name the 32 apps that had admin secrets hard-coded, they did say that they were from shopping, education, lifestyle, business, and medical companies. It should be noted that the problem is not with Algolia or other similar services, but with app developers mishandling API keys. Developers should remove all exposed keys, generate new ones, and securely store them. Companies that exposed data were notified of the problem before the report was published. This is the latest in a long line of reports demonstrating how common the storage of API keys is in mobile apps, according to David Stewart, CEO of the mobile app protection company Approov. The problem is that developers are not using simple mitigations to counteract the underlying threats. In the case of third-party APIs such as Algolia, mobile app developers could simply use just-in-time delivery mechanisms to provide API keys only to genuine app instances and only when API calls are required. This would prevent any attempts to use and abuse any API keys that had 'leaked' from the app via scripts. This article continues to discuss the discovery of over 1,500 apps leaking API keys and potentially exposing user data. 

SiliconANGLE reports "Over 1,500 Apps Found Leaking API Keys and Potentially Exposing User Data"