We’re experiencing an issue where a spammer is gaining access to the admin API key and using that for sending spam requests directly to the Algolia endpoint. We’ve regenerated the Admin API key multiple times and within 1-2 days each time the spammer picks up the Admin API key value again.
Is there any way that the plugin is exposing the Admin API key on the front end somehow? Algolia tech support has been unable to find any other way for the value to be exposed to the spammer.
Only way I can think of and see how they’d potentially be getting that information would be if they’re somehow managing to get ahold of the search client object. That’s not something we coded special, but instead is coming from our bundled copy of https://github.com/algolia/algoliasearch-client-php
Are you defining your API keys via the settings page? Or are you perhaps using something like the PHP Constants that can be added to your wp-config.php ?
Would any of that search client object be exposed on the front end in some way? I’m not seeing any indication that they have actual WP code or admin access at this point.
Here’s a screenshot of an example spam request. You can see for User-Agent it’s Algolia for PHP rather than a web browser. Would that indicate it has access to something on the back end in your opinion?
The API being passed with this request is the admin key rather than the public-facing search key.
Just figured this out. Basically what’s happening is we’re using a custom search query parameter and if the spammer uses the default /?s=something that calls the API directly using the Admin API key. Doesn’t look like the key is actually exposed anywhere but it was interesting that using the “s” parameter uses the Admin search key rather than the Search key provided in the settings.
Is it possible to disable using the admin API key for searches? We’re using a specific search key that limits the searches and when the admin API key is used that circumvents any of the limiting functionality.
This is the ADMIN API key. Please keep it secret and use it ONLY from your backend: this key is used to create, update and DELETE your indices. You can also use it to manage your API keys.
All stuff that shouldn’t be getting done from performing searches.
Remind me again where you’re seeing the key from the frontend.
We’re having spammers submit junk searches directly through the site search rather than using the Instantsearch.js or autocomplete methods. When the search is submitted directly via PHP, the search API is using the admin key rather than the search key.
When I look at the logs any of the searches that come up with Algolia for PHP set as the User-Agent the key provided is the admin key. I can provide more detailed logs if you have a secure way to send the files over.
Still trying to make sure we’re tracking things down properly. The only time I can see that we’re running code that involves the admin API key, is during some load indices calls, but those are also not returning anything that would be accessible from the frontend either. More on the watchers side.
I know you sent over some search logs, and I’m wondering if your main suspicion of admin API key is because they’re listed, though obfuscated in the search log data and that’s been a primary lead?
Viewing 13 replies - 1 through 13 (of 13 total)
The topic ‘Spammer using Admin API Key’ is closed to new replies.
