Cybersecurity experts have uncovered more than a thousand mobile applications carrying a flawed API that are leaking sensitive endpoint (opens in new tab) and user information.
Researchers from CloudSEK found 1,550 mobile apps using Alogolia, a proprietary API that helps mobile developers integrate search engines with discovery and recommendation features found in websites and apps.
According to the company, this API is used by more than 11,000 companies worldwide.
Abusing the service
Aligolia comes with five API keys – Admin, Search, Monitoring, Usage, and Analytics, and according to the researchers, Search is the only key that’s meant to be available publicly on front-end, as it helps users run searches in the app. Monitoring allows access to the cluster status, Usage and Analytics are pretty self-explanatory, while the Admin key gives access to the other four keys, as well as a number of other features.
Now, the researchers have found that it was possible to abuse these services and thus expose the data they handle.
“While the admin API key enables threat actors to perform several critical actions and provides access to sensitive data, even with one or more of the other API keys, threat actors can search or view sensitive data,” a CloudSEK analyst told BleepingComputer.
“Also, depending on code changes in future versions of apps, threat actors may be able to access more sensitive data using just these keys.”
Out of the 1,550 apps in question, 32 leaked admin secrets, including 57 unique admin keys. With these, a threat actor could not only access sensitive user information (opens in new tab), but also play with app index records and settings.
In total, apps leaking the Admin key have been downloaded roughly 3,250,000 times. Some apps have more than a million downloads, it was said. The apps fall in all sorts of categories, from news apps, food and drink apps, to education, fitness, business apps, and many others.
CloudSEK did not provide the list of affected apps, but it did say it contacted their developers and – has not heard back.
Via: BleepingComputer (opens in new tab)
