I found 39 Algolia admin keys exposed across open source documentation sites

toomuchtodo

Great write up. Reminder that if you commit these to a Github Gist and the provider partners with GitHub for secrets scanning, they’ll rapidly be invalidated.

fix4fun

Interesting how many people already are playing with these API keys ? ;)

stickynotememo

So why hasn't the HomeAssistant docs page been nuked yet?

netsharc

Man, talk about unnecessary graphs... ok graph 2 is maybe tolerable, although it's showing the popularity of the projects, not a metric of how many errors/vulnerabilities found in those projects. I'm not a newspaper editor, but I think if this was an article for one, they'd also say the graphs are unnecessary. It smells of "I need some visual stuff to make this text interesting"...

TechSquidTV

I have been developing an OpenClaw-like agent that automates exactly this type of attack.

tcbrah

the wildest part is algolia just not responding. you email them saying "hey 39 of your customers have admin keys in their frontend" and they ghost you? thats way worse than the keys themselves imo. like the whole point of docsearch is they manage the crawling FOR you, but then the "run your own crawler" docs basically hand you a footgun with zero guardrails. they could just... not issue admin-scoped keys through that flow