I Found 39 Algolia Admin Keys Exposed Across Open Source Documentation Sites

https://benzimmermann.dev/blog/algolia-docsearch-admin-keys

59•kernelrocks•1h ago

Comments

toomuchtodo•1h ago

Great write up. Reminder that if you commit these to a Github Gist and the provider partners with GitHub for secrets scanning, they’ll rapidly be invalidated.

pwdisswordfishy•1h ago

That's just a tautology.

"If the secrets issuer partners with X-corp for secret scanning so that secrets get invalidated when you X them, then when you X them the secrets will be invalidated".

The above is a true statement for all X.

nightpool•1h ago

? Yes? Toomuchtodo is reminding the author (and other commenters), that github gists are one way to make sure secrets are secured / remediated before making a public post like this. Maybe not the most responsible whitehat action, but I can see it being useful in some cases where outreach is impractical / has failed.

Unfortunately, it doesn't look like Algolia has implemented this

TurdF3rguson•25m ago

I'm not following this at all. It seems like OP is saying if you share a secret in your (private?) gist and give Algolia permission to read the gist, they will invalidate it. But why would the secret be in a gist and not a repo? Also if you're aware enough to add that partner it seems you're aware to not do dumb things like that in the first place.

richbell•18m ago

If you find an exposed token in the wild, for a service supported by GitHub Secret Scanning, uploading it to a Gist will either immediately revoke it or notify the owner.

wat10000•1h ago

English is not formal logic.

In formal logic, that statement is true whether X is GitHub, or Lockheed-Martin, Safeway, or the local hardware store.

In English, the statement serves to inform (or remind) you that GitHub has a secret scanning program that many providers actually do partner with.

pwdisswordfishy•35m ago

Yes, and in the real world where Grice's Maxim of Relevance is in force, then when the secrets issuer that is the subject of the discussion isn't one of those partners, then an informative "reminder" that GitHub "has a secret scanning program" with a bunch of other partners is not actually informative. It's as superfluous and unhelpful as calling to let someone know you're not interested in the item they've posted for sale on Craiglist (<https://www.youtube.com/watch?v=xWG3jKzKcm8>).

richbell•29m ago

How is reminding people that they can safely revoke exposed API keys not informative? Why are you being so combative?

wat10000•16m ago

It's more useful than telling someone that their statement is a tautology in formal logic.

fix4fun•1h ago

Interesting how many people already are playing with these API keys ? ;)

stickynotememo•1h ago

So why hasn't the HomeAssistant docs page been nuked yet?

netsharc•1h ago

Man, talk about unnecessary graphs... ok graph 2 is maybe tolerable, although it's showing the popularity of the projects, not a metric of how many errors/vulnerabilities found in those projects.

I'm not a newspaper editor, but I think if this was an article for one, they'd also say the graphs are unnecessary. It smells of "I need some visual stuff to make this text interesting"...

throwaway5465•1h ago

It's Friday night / Saturday morning. Who wants to be reading text?

Especially on night mode themes.

Besides, can we read anymore? In the age of 'GPT summarise it me' attention spans and glib commentary not about the content of the article being all many people have to add, perhaps liberal application of visualisations adds digestive value.

binarymax•30m ago

Dude there’s only three graphs in there. Do they really bother you that much? The third may be a bit unnecessary but I think the visuals add to the post.

netsharc•2m ago

So you agree partially with what I said.

The poster is 16, he can take it as feedback towards effective writing. Or the intellectual HN crowd can just downvote it and dissuade me from contributing and helping a kid (oh look at me, how fucking noble am I, right?).

Ah, that feeling of "Am I the only one who gets it around here?". I wanted to explain to you why graph 2 is dumb, and graph 1 is very little information, but heck, I felt dissuaded.

TechSquidTV•16m ago

I have been developing an OpenClaw-like agent that automates exactly this type of attack.

Monty Python Got It Wrong About Medieval Disease

Mega-OS – 38-agent operating system that runs inside Claude Code

$2B nonprofit grants traced to find who's behind age verification bills

Elon Musk's Ketamine Use Can't Be Probed in OpenAI Fraud Trial

Show HN: SupplementDEX – The Evidence-Based Supplement Database

Show HN: I built an interactive 3D three-body problem simulator in the browser

The Egg (2009)

What happens when an autonomous robotaxi gets into an accident?

The Collapse of the Incentive to Make

Spotify Silently Updates Itself (and How to Stop It)

Let the Code Do the Talking

RAM: WTF? (2025)

Sniffer dogs can detect wildlife trafficking via shipping container air samples

Instagram to discontinue end-to-end encryption for DMs

Gallo-Roman dodecahedron: twelve faces, zero answers?

What Does Extreme Wealth Do to the Brain?

Microplastics that accumulate in the body may 'clog up' immune cells

Our Experience with I-Ready

New gel-based system allows bacteria to act as bioelectrical sensors

Prairieland 19 Case Update

AMD: WTF? [video]

Benchmarking Language Modeling for Lossless Compression of Full-Fidelity Audio

How we compare model quality in Cursor

Show HN: Pixel Press – Fast Image Converter for Windows (WebP / AVIF)

In Search of Banksy

Show HN: I wrote my first neural network

Show HN: Commute home, hit the banana, feel nice

Show HN: Monetize your APIs by injecting agent targeted instructions

PoC for partially desynchronizing Windows PatchGuard

"This Is Not the Computer for You" Debunked