Modern application architecture has redefined data security – and not necessarily in a good way. Many applications are now built out of hundreds of moving parts, with enterprise tools offering increasingly bespoke configurations and plugins. So, what is data security? And how can organizations continue to protect customers in a DevOps world that’s sometimes working against them?
Algolia, Hasty Devs, and Insecurities
Across almost every industry, the ability for a customer to search through your site is invaluable. However, it’s not just as simple as customers typing exactly what they want into a search bar. Sometimes, the customer might refer to products in different ways – with a traditional search mechanism, anything that doesn’t exactly match what’s on your site will almost certainly result in a bounce.
Intelligent site search, on the other hand, allows for customer searches that aren’t verbatim. This then transforms a site’s search functions into another tool for conversion, as the customer can now be guided throughout more of your products or services. Alongside being an analytics powerhouse, intelligent site search indexes your site consistently, allowing for the newest content to be prioritized in rankings; meaning it can include a greater breadth of options than just eCommerce products.
Thus, the users could access information they might not have even thought they’d be interested in. Site search tools enable an end-user to quickly discover the area they’re looking for, while clearly being presented the relevant information on products and services you may provide. They can also open the door to severe security flaws.
Algolia is one tool that boasts intelligent site search. With over 17,000 global customers, its industry presence is significant, handling over 1 million requests every week for clients such as Marcari, Gymshark, and more. The Algolia plugin allows any site owner or developer to add the search tool – which leads us to the recent turn of events, wherein Algolia may have suffered from its own success.
The Algolia API leak
Algolia’s plug-and-play approach is facilitated via their Application Programming Interface (API). APIs are ubiquitous to today’s multifaceted tech landscape, as they allow different applications to communicate with one another. A key part of API security is the API key. This is a unique piece of code that is sent from one app to another across a network, ensuring any given interface is being used as intended. API keys are only one part of a broader authentication scheme; they do not provide individual user authentication. However, the keys do provide access to any given API server, meaning that If the key is valid, the server will allow an application to connect.
In November of 2022, CloudSEK researchers found that thousands of third-party applications that used the Algolia API were suffering from deep misconfigurations. In an astonishing example of API mishandling by developers, these API keys were retrievable from the application itself. Dozens of apps were also guilty of hardcoding admin secrets, lending even more ammunition to opportunistic attackers. If an API leaks its key, an attacker could simply access all predefined keys, which include the usage, analytics, and monitoring keys. Having access to these allows an attacker to read personal information about an app’s end-user, alongside being able to modify and delete in-app information and access their IP address.
Alongside the thousands of apps that are essentially ticking time bombs waiting for a data breach event, CloudSEK also discovered 32 applications that even hardcoded admin secrets. This is particularly dangerous, as it essentially makes the API information publicly accessible. Guilty applications spanned all industries, including shopping, education, medical companies, and business.
Unfortunately, this is not a flaw within Algolia itself, nor services that provide integrations. It’s hard evidence of API mishandling by developers themselves. As such, it’s up to individual companies to address these security concerns in their own time. Which is concerning, considering it takes on average only 9 days for attackers to begin exploiting publicly-released vulnerabilities.
Securing API keys
The practice of hardcoding API keys into an application isn’t a malicious choice by developers. Instead, it’s a natural result of the pressures faced in tight time-to-markets, and when the drive for efficiency overpowers the necessity of security.
As the problem is rooted in development processes, app developers could simply replace hard coded secrets with a just-in-time delivery mechanism. This only provides API keys to app instances that have already been authenticated, and only when required to make an API call. This format would totally eradicate the Algolia data leak issue, alongside providing higher security throughout the API calling process. While this blocks any attempts to abuse leaked API keys, there are a number of steps companies can make to secure unpatched instances.
A major component to modern API insecurity is that companies may simply not know the full wealth of APIs they rely on. Individual applications are easier to track, but unique APIs continue to represent a persistent visibility challenge. Third-party security solutions can offer in-depth API discovery and classification. This allows you to detect and classify the sensitive information flowing throughout the APi tech stack. The identification and classification of this data represents the first step toward organizational alignment with modern data privacy rules and regulations.
Once you’ve got a handle on the swathes of APIs and the data that each is handling, high-value security solutions make it possible to automatically detect even advanced API threats. This attack detection can trigger at any sign of API abuse and data theft, allowing you to protect the customers that form the backbone of any stable organization.
