Spammer using Admin API Key

Only way I can think of and see how they’d potentially be getting that information would be if they’re somehow managing to get ahold of the search client object. That’s not something we coded special, but instead is coming from our bundled copy of https://github.com/algolia/algoliasearch-client-php

Are you defining your API keys via the settings page? Or are you perhaps using something like the PHP Constants that can be added to your wp-config.php ?

I’m currently defining them via the settings page.

I wonder if setting via the constants could potentially help in this specific case. However I can’t guarantee it.

Would any of that search client object be exposed on the front end in some way? I’m not seeing any indication that they have actual WP code or admin access at this point.

Nothing that shouldn’t be exposed directly and scrapable. For example something like:

let apikey = 'somerandomstringvalue';

from localized data on the server side.

Not sure if they could somehow be intercepting and reading POST requests for the search queries.

Here’s a screenshot of an example spam request. You can see for User-Agent it’s Algolia for PHP rather than a web browser. Would that indicate it has access to something on the back end in your opinion?

The API being passed with this request is the admin key rather than the public-facing search key.

Just figured this out. Basically what’s happening is we’re using a custom search query parameter and if the spammer uses the default /?s=something that calls the API directly using the Admin API key. Doesn’t look like the key is actually exposed anywhere but it was interesting that using the “s” parameter uses the Admin search key rather than the Search key provided in the settings.

Very interesting and good to know.

Is it possible to disable using the admin API key for searches? We’re using a specific search key that limits the searches and when the admin API key is used that circumvents any of the limiting functionality.

According to the UI in the algolia.com dashboard:

This is the ADMIN API key. Please keep it secret and use it ONLY from your backend: this key is used to create, update and DELETE your indices. You can also use it to manage your API keys.

All stuff that shouldn’t be getting done from performing searches.

Remind me again where you’re seeing the key from the frontend.

We’re having spammers submit junk searches directly through the site search rather than using the Instantsearch.js or autocomplete methods. When the search is submitted directly via PHP, the search API is using the admin key rather than the search key.

When I look at the logs any of the searches that come up with Algolia for PHP set as the User-Agent the key provided is the admin key. I can provide more detailed logs if you have a secure way to send the files over.

[email protected] will reach us securely and away from the public forums here.

Still trying to make sure we’re tracking things down properly. The only time I can see that we’re running code that involves the admin API key, is during some load indices calls, but those are also not returning anything that would be accessible from the frontend either. More on the watchers side.

I know you sent over some search logs, and I’m wondering if your main suspicion of admin API key is because they’re listed, though obfuscated in the search log data and that’s been a primary lead?