These popular mobile apps are leaking some very valuable information
More than a thousand apps leak sensitive user data, experts warn
Cybersecurity experts have uncovered more than a thousand mobile applications carrying a flawed API that are leaking sensitive endpoint and user information.
Researchers from CloudSEK found 1,550 mobile apps using Alogolia, a proprietary API that helps mobile developers integrate search engines with discovery and recommendation features found in websites and apps.
According to the company, this API is used by more than 11,000 companies worldwide.
Abusing the service
Aligolia comes with five API keys - Admin, Search, Monitoring, Usage, and Analytics, and according to the researchers, Search is the only key that’s meant to be available publicly on front-end, as it helps users run searches in the app. Monitoring allows access to the cluster status, Usage and Analytics are pretty self-explanatory, while the Admin key gives access to the other four keys, as well as a number of other features.
Now, the researchers have found that it was possible to abuse these services and thus expose the data they handle.
"While the admin API key enables threat actors to perform several critical actions and provides access to sensitive data, even with one or more of the other API keys, threat actors can search or view sensitive data," a CloudSEK analyst told BleepingComputer.
"Also, depending on code changes in future versions of apps, threat actors may be able to access more sensitive data using just these keys."
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Out of the 1,550 apps in question, 32 leaked admin secrets, including 57 unique admin keys. With these, a threat actor could not only access sensitive user information, but also play with app index records and settings.
In total, apps leaking the Admin key have been downloaded roughly 3,250,000 times. Some apps have more than a million downloads, it was said. The apps fall in all sorts of categories, from news apps, food and drink apps, to education, fitness, business apps, and many others.
CloudSEK did not provide the list of affected apps, but it did say it contacted their developers and - has not heard back.
- Check out the best privacy tools right now
Via: BleepingComputer
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.