Organizations can use Algolia’s API to incorporate into their applications functions such as search, discovery, and recommendations. The API is used by over 11,000 companies, including Lacoste, Slack, Medium, and Zendesk.
CloudSEK says it has identified 1,550 applications that leaked Algolia API keys, including 32 apps that had hardcoded admin secrets, providing attackers with access to pre-defined Algolia API keys.
The offending 32 apps, CloudSEK says, had more than 2.5 million downloads, potentially exposing the data of their users to malicious attacks. A threat actor could exploit these weaknesses to read user information, including IP addresses, access details, and analytics data, and delete user information.
