Algolia’s API is used by companies to incorporate search, discovery, and recommendations into their voice, mobile, and website applications. It is currently used by over 11,000 companies, including Lacoste, Stripe, Slack, Medium, and Zendesk to manage 1.5 trillion search queries a year.
CloudSEK’s (Security company) has identified 1550 apps which leaked Algol API key and 32 application with millions of downloads, have hardcoded keys that can be exploited by threat actor to steal data of millions of user.
While this is not a flaw in Algolia or other such services that provide integrations, it is evidence of how API keys are mishandled by app developers. So, it is up to individual companies to address the security concerns associated with payment gateways, AWS services, open firebases, etc.
CloudSEK has notified Algolia and the affected apps about the hardcoded API keys.
No comments:
Post a Comment