GoKawiilLast October I reported an exposed Algolia admin API key on vuejs.org. The key had full permissions: addObject, deleteObject, deleteIndex, editSettings, the works. Vue acknowledged it, added me to their Security Hall of Fame, and rotated the key.
That should have been the end of it. But it got me thinking: if Vue.js had this problem, how many other DocSearch sites do too?
Turns out, a lot.
How Algolia DocSearch works
Algolia's DocSearch is a free search service for open source docs. They crawl your site, index it, and give you an API key to embed in your frontend. That key is supposed to be search-only, but some ship with full admin permissions.
What I found
Most keys came from frontend scraping. Algolia maintains a public (now archived) repo called docsearch-configs with a config for every site in the DocSearch program, over 3,500 of them. I used that as a starting target list and scraped roughly 15,000 documentation sites for embedded credentials. This catches keys that don't exist in any repo because they're injected at build time and only appear in the deployed site:
APP_RE = re.compile( r ' [ " \' ]([ A-Z0-9 ] {10} )[ " \' ] ' ) KEY_RE = re.compile( r ' [ " \' ]([\d a-f ] {32} )[ " \' ] ' ) def extract (text, app_ids, api_keys): if not ALGOLIA_RE .search(text): return for a in APP_RE .findall(text): if valid_app(a): app_ids.add(a) api_keys.update( KEY_RE .findall(text))
On top of that I ran GitHub code search to find keys in doc framework configs, then cloned and ran TruffleHog on 500+ documentation site repos to catch keys that had been committed and later removed.
35 of the 39 admin keys came from frontend scraping alone. The remaining 4 were found through git history. Every single one was active at the time of discovery.
... continue reading