Cybersecurity experts have discovered over a thousand mobile apps that contain a faulty API that leaks sensitive endpoints (opens in a new tab) and user information.
CloudSEK researchers found 1550 mobile apps that use Alogolia, a proprietary API that helps mobile developers integrate search engines with discovery and recommendation features found in websites and apps.
According to the company, this API is used by more than 11.000 companies around the world.
abuse of service
Aligolia comes with five API keys: Management, Search, Monitoring, Usage, and Analytics, and according to researchers, Search is the only key that is supposed to be publicly available on the front-end, as it helps users to search in the application. Monitoring provides access to cluster health, usage, and analysis are self-explanatory, while the Admin key provides access to the other four keys, as well as other features.
However, the researchers discovered that it was possible to abuse these services and thus expose the data they manipulate.
“While the Management API Key allows threat actors to perform several critical actions and provides access to sensitive data, even with one or more of the other API keys, threat actors can search for or view sensitive data,” said one CloudSEK analyst at BleepingComputer.
"In addition, depending on code changes in future versions of the applications, threat actors may be able to access more sensitive data using just these keys."
Of the 1550 apps in question, 32 admin secrets were leaked, including 57 unique admin keys. With these, a threat actor could not only gain access to users' sensitive information - opens in a new tab, but also manipulate application logs and index settings.
In total, the apps that leaked the admin password were downloaded around 3 times. Some apps have over a million downloads, it has been said. The apps fall into all sorts of categories, from news apps to food apps, education, fitness, business apps, and many more.
CloudSEK did not provide a list of affected apps, but said it has contacted their developers and received no response.
Via: BleepingComputer (Opens in a new tab)