Cybersecurity experts have discovered more than a thousand mobile applications with a flawed API leaking sensitive endpoints (opens in new tab) and user information.
CloudSEK researchers found 1,550 mobile apps using Alogolia, a proprietary API that helps mobile developers integrate search engines with discovery and recommendation features found in websites and apps.
According to the company, this API is used by more than 11,000 companies worldwide.
Abuse the service
Aligolia comes with five API keys: Admin, Search, Monitoring, Usage, and Analytics, and according to the researchers, Search is the only key that should be publicly available on the front-end, as it helps users perform searches in the app. Monitoring gives access to cluster status, Usage and Analytics are self-explanatory, while the Admin key gives access to the other four keys, as well as a number of other features.
Now the researchers have discovered that it was possible to misuse these services to expose the data they process.
“While the admin API key allows threat actors to perform various critical actions and access sensitive data even with one or more of the other API keys, threat actors can search or view sensitive data,” a CloudSEK analyst told me. . Beeping computer.
“In addition, depending on code changes in future versions of apps, attackers may be able to access more sensitive data using just these keys.”
Of the 1,550 affected apps, 32 leaked admin secrets, including 57 unique admin keys. It not only allowed a threat actor to access sensitive user information (opens in new tab)but also play with app index records and settings.
In total, apps that leaked the Admin key have been downloaded approximately 3,250,000 times. Some apps have over a million downloads, it was said. The apps fall into all sorts of categories, from news apps, food and drink apps, to education, fitness, business apps, and many others.
CloudSEK has not provided the list of affected apps, but has said it has contacted their developers and has not heard back.
Via: Bleeping Computer (opens in new tab)