These popular mobile apps are leaking some very valuable information

By Krishna Rao On Nov 22, 2022

How is eBPF Revolutionizing Kubernetes Scaling

Jan 20, 2024

Seamless CI/CD Integration: The Role of Monitoring as Code

Dec 11, 2023

Cybersecurity experts have uncovered more than a thousand mobile applications carrying a flawed API that are leaking sensitive endpoint (opens in new tab) and user information.

Researchers from CloudSEK found 1,550 mobile apps using Alogolia, a proprietary API that helps mobile developers integrate search engines with discovery and recommendation features found in websites and apps.

According to the company, this API is used by more than 11,000 companies worldwide.

Abusing the service

Aligolia comes with five API keys – Admin, Search, Monitoring, Usage, and Analytics, and according to the researchers, Search is the only key that’s meant to be available publicly on front-end, as it helps users run searches in the app. Monitoring allows access to the cluster status, Usage and Analytics are pretty self-explanatory, while the Admin key gives access to the other four keys, as well as a number of other features.

Now, the researchers have found that it was possible to abuse these services and thus expose the data they handle.

“While the admin API key enables threat actors to perform several critical actions and provides access to sensitive data, even with one or more of the other API keys, threat actors can search or view sensitive data,” a CloudSEK analyst told BleepingComputer.

“Also, depending on code changes in future versions of apps, threat actors may be able to access more sensitive data using just these keys.”

Out of the 1,550 apps in question, 32 leaked admin secrets, including 57 unique admin keys. With these, a threat actor could not only access sensitive user information (opens in new tab), but also play with app index records and settings.

In total, apps leaking the Admin key have been downloaded roughly 3,250,000 times. Some apps have more than a million downloads, it was said. The apps fall in all sorts of categories, from news apps, food and drink apps, to education, fitness, business apps, and many others.

CloudSEK did not provide the list of affected apps, but it did say it contacted their developers and – has not heard back.

Via: BleepingComputer (opens in new tab)

Read original article here

Denial of responsibility! TechnoCodex is an automatic aggregator of the all world’s media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials, please contact us by email – [email protected]. The content will be deleted within 24 hours.