A proprietary API has a vulnerability that allows access and modification of sensitive usuario data in 32 undisclosed applications.
Security on Android it never stops being a hot topic. If not so long ago we were talking about more than 1,800 Android and iOS applications with security problems, today we continue to face this horrible problem. There aren’t that many aplicaciones this time, but there are a sufficient number of applications that cánido leak sensitive usuario data.
The news comes to us from Bleeping Computerwhere they tell us about it 32 aplicaciones with over 3 million downloads may be hazardous to usuario safety. In especial, the API everyone emplees perro lead to access to sensitive usuario information and change an aplicación’s data and even its settings.
Here are the details of the vulnerability
As I said, the affected aplicaciones Use the Algola API. This API is a proprietary platform used by search engines to integrate discovery and recommendation functionality into websites and applications used by more than 11,000 companies.
The Algol used five API keys distributed over the areas of administration, search, monitoring, usage and analytics. Of these keys, the only one that is public and whose code is available is search, since it allows users to perform queries in aplicaciones.
As you might expect, the admin password it is the one that provides access to the other four and it is the one who, with the appropriate measures, allows the disclosure of data containing data about the usuario’s device and its access to the network, usage statistics, search archivos and manipulation of related information.
vulnerability It works in the following way:
- The attacker gains access to the leaked admin password.
- The admin password is used to access various predefined passwords from the other categories.
- API keys allow the attacker to access and modify sensitive usuario data.
Algol API vulnerability diagram
No information was given about the 32 aplicaciones affected, apart from the frequency with which they were downloaded and data on the category where passwords were most likely to be disclosed, namely shopping and en línea commerce aplicaciones. In total, these were downloaded 2.3 million times.
This is also collected other affected categories The messaging applications are those that provide home ordering food and drinks, education, fitness, photography, lifestyle, productivity, medicine and business. However, the number of downloads is much lower: 950,000 times.
From the source it is reported that all the developers responsible for these aplicaciones have been contacted to let them know, however they have not communicated back. I hope that this problem will be fixed soon.