I found 39 Algolia admin keys exposed across open source documentation sites
156 points by kernelrocks
by pmdr
3 subcomments
Twenty years ago every PHP website had search. We forgot how to do it.
by Dazzler5648
0 subcomment
Thanks for this. I was maybe using one of these keys until this morning. When I logged in at dashboard.algolia.com and went to Settings -> API Keys, I found that none of the keys (Search, Analytics, Usage, Monitoring) matched the key I was using on a frontend. I made a decent attempt looking for that old key anywhere in their admin panels and could not find it. poof!
So perhaps at some point, they were only giving admin keys (because I don't remember there being a choice; and I would think given the choice I'd make the right one) and when called out (or sometime prior) realized the problem and made a new Settings -> API Keys page. Currently on the page the first one listed is the Search Key, with the subtext "This is the public API key which can be safely used in your frontend code. This key is usable for search queries and it's also able to list the indices you've got access to."
by stickynotememo
0 subcomment
So why hasn't the HomeAssistant docs page been nuked yet?
by netsharc
2 subcomments
Man, talk about unnecessary graphs... ok graph 2 is maybe tolerable, although it's showing the popularity of the projects, not a metric of how many errors/vulnerabilities found in those projects.
I'm not a newspaper editor, but I think if this was an article for one, they'd also say the graphs are unnecessary. It smells of "I need some visual stuff to make this text interesting"...
by dawnerd
0 subcomment
Algolia really needs to make using the admin key less easy. I’ve almost copied it before when setting up a frontend. It should be tucked away and require auth to view.
by trrra
0 subcomment
Is this aloglia's (or any provider) responsability or each individual integration ?
the wildest part is algolia just not responding. you email them saying "hey 39 of your customers have admin keys in their frontend" and they ghost you? thats way worse than the keys themselves imo. like the whole point of docsearch is they manage the crawling FOR you, but then the "run your own crawler" docs basically hand you a footgun with zero guardrails. they could just... not issue admin-scoped keys through that flow
by TechSquidTV
2 subcomments
I have been developing an OpenClaw-like agent that automates exactly this type of attack.
by fix4fun
0 subcomment
Interesting how many people already are playing with these API keys ? ;)
by toomuchtodo
1 subcomments
Great write up. Reminder that if you commit these to a Github Gist and the provider partners with GitHub for secrets scanning, they’ll rapidly be invalidated.
Hacker News