I Found 39 Algolia Admin Keys Exposed Across Open Source Documentation Sites
Back to blogLast October I reported an exposed Algolia admin API key on vuejs.org. The key had full permissions: addObject, deleteObject, deleteIndex, editSettings, the works. Vue acknowledged it, added me to their Security Hall of Fame, and rotated the key. That should have been the end of it. But it got me thinking: if Vue.js had this problem, how many other DocSearch sites do too? Turns out, a lot. How Algolia DocSearch works Algolia’s DocSearch is a free search service for open source docs. They crawl your site, index it, and give you an API key to embed in your frontend. That key is supposed to be search-only, but some ship with full admin permissions. What I found Most keys came from frontend scraping. Algolia maintains a public (now archived) repo called docsearch-configs with a…
