Algolia is a hosted search engine service for web surfing that uses a SaaS model. This service can process searches quickly and ensure easy implementation with websites and mobile applications by issuing an Algolia API key after registration. Thousands of companies use Algolia for this advantage alone.

Recently, the security issue of Algolia’s API key, which is used by many websites, has been discovered. According to a report published on November 21, 2022, by Singapore-based cybersecurity firm CloudSEK, a security vulnerablity has been found that could steal millions of users’ hardcoded Algolia API keys.

Algolia’s API is used by companies to incorporate search, discovery, and recommendations into their voice, mobile, and website applications. It is currently used by over 11,000 companies, including Lacoste, Stripe, Slack, Medium, and Zendesk to manage ~1.5 trillion search queries a year.

However, CloudSEK’s BeVigil, the first security search engine for mobile apps in the world has identified 1550 apps that leaked Algolia API Keys. Out of which, 32 apps, with millions of downloads, have hardcoded keys that can be exploited by threat actors to steal the data of millions of users.

Source : Hardcoded Algolia API Keys Could be Exploited by Threat Actors to Steal Millions of Users’ Data – CloudSEK

This report will focus on methods and possible attacks that can be caused by leaked Algolia API keys, as well as how to detect keys that are already exposed.

Configuration and Operation Method for Algolia API Key

The representative examples websites running with Algolia on the web are “Lacoste”, “Stripe”, “Slack”, and “Medium”. The method in which the Algolia API operates is to request a user’s input value from the server by the letter and send back the response.

For API verification, the key x-algolia-application-id, x-algolia-api-key is used.

Guide on Algolia API implementation as shown on the official Algolia website

Algolia API key can be found in the Setting > API Keys menu once a user logs in, and are divided into five different keys depending on their purposes.

  1. Search-Only API Key
  2. Admin API Key
  3. Usage API Key
  4. Monitoring API Key
  5. Analytics API Key
Settings menu screen where users can view their API Keys

Among these keys, users with access to the Admin API Key can access the other API Keys (Search-Only, Monitoring, Usage, Analytics). Therefore, if an attacker steals the Admin API Key, they can do the following.

List of Possible Actions That Attacker Can Take With Algolia Admin API Key

Source : Algolia API Key Guide

  • Search (search): allowed to perform search operations.
  • Browse Index (brose): allowed to retrieve all index data with the browse endpoint.
  • Add records (addObject): allowed to add or update a records in the index.
  • Delete records (deleteObject): allowed to delete an existing record.
  • List indices (listIndexes): allowed to get a list of all existing indices.
  • Delete index (deleteIndex): allowed to delete an index.
  • Get index settings (settings): allowed to read all index settings.
  • Set index settings (editSettings): allowed to update all index settings.
  • Use analytics API (analytics): allowed to retrieve data with the Analytics API.
  • Use recommendation API (recommendation): allowed to interact with the Recommendation API.
  • Use usage API (usage): allowed to retrieve data with the Usage API.
  • Access logs (logs): allowed to query the logs.
  • Get unretrievable attributes (seeUnretrievableAttributes): allowed to retrieve unretrievableAttributes for all operations that return records.

As shown above, the Administrator API Key gives rights to all possible actions taken, so it must only be handled by the top system administrator. 

Warning notice regarding Algolia Administrator API Key permissions

How To Find an Exposed Algolia API Key with Security OSINT Search Engine

According to CloudSEK’s announcement, the fault lies not in Algolia API, but in the individuals or corporations that misuse the API, causing these leaks.

Applications with exposed Algolia API keys can be found by two queries on Criminal IP.

A total of 973 API keys are found associated with exposed IP addresses.

Search Query: x-algolia-api-key status_code:200

Search Query: x-algolia-application-id status_code:200

Search results for Algolia servers with exposed API keys returns a total of 973 IP addresses

Accessing one of these websites and viewing the developer tool, users can see that the API responds to the input value of the accessing user in real time, leading algolia agent, api key and api id to become exposed in turn.

Screenshot of payload belonging to Algolia web server with exposed API ID and Key

Verifying Key Permissions

However, those servers cannot be considered vulnerable just because the API key value was exposed. An actual attack is possible only when the authority of the API key is not controlled.

The following shows the access authority of the API Key.

Users just need to fill in the exposed API Key and Application ID in the command prompt below. 

curl -X GET -H "X-Algolia-API-Key: {API-KEY}" -H "X-Algolia-Application-Id: {Application-ID}" "https://{Application-ID}.algolia.net/1/logs"

If the access authority of the API Key is controlled, a message below will be displayed.

{"message":"Invalid Application-ID or API key","status":403}

If the access authority of the API Key is not controlled, a message like the one below, which is most likely in a log format.

{"message":"Method not allowed with this API key","status":403}root@xxxxxxxxxx:~7b5137" -H "X-Algolia-Application-Id: {Application_ID" "https://{Application_ID.algolia.net/1/logs"
{"logs":[{"timestamp":"2022-11-25T09:22:06Z","method":"GET","answer_code":"403","query_body":"","answer":"\n{\n  \"message\": \"Method not allowed with this API key\",\n  \"status\": 403\n}\n","url":"/1/logs","ip":"x.x.x.x","query_headers":"Host: {Application_ID.algolia.net\nUser-Agent: curl/7.47.0\nAccept: */*\nX-Algolia-API-Key: a321****************************\nX-Algolia-Application-Id: {Application_ID\n","sha1":"xxxxxxxxxxxxxxxxxxxxxxx","processing_time_ms":"1"},{"timestamp":"2022-11-25T09:21:06Z","method":"GET","answer_code":"403","query_body":"","answer":"\n{\n  \"message\": \"Method not allowed with this API key\",\n  \"status\": 403\n}\n","url":"/1/logs","ip":"x.x.x.x","query_headers":"Host: {Application_ID.algolia.net\nUser-Agent: curl/7.83.1\nAccept: */*\nX-Algolia-API-Key: a321****************************\n

In order to check vulnerabilities such as API Key leakage quickly, we recommend users check out Criminal IP RMR for enterprise users, and Criminal IP Search Engine  for private users.

Read more about API Key vulnerabilities and information leaks by reading this article about API Key leaks on Django.

Source : Criminal IP (https://www.criminalip.io/)

Related Article(s) : 

API Key, a Key to Credential Leakage & Manipulation