Algolia DocSearch, a free search tool for open-source documentation, has a critical flaw. In October 2023, journalist Ben Zimmermann discovered 39 admin API keys exposed across documentation sites like vuejs.org and Home Assistant. These keys granted full control over search indexes, including the ability to delete data, modify settings, and export content. Zimmermann scraped 15,000 sites and analyzed GitHub repos to uncover the breach, finding keys embedded in frontend code or accidentally committed to version control.

The exposed keys shared identical permissions: search, addObject, deleteObject, deleteIndex, editSettings, listIndexes, and browse. Some even had extra access to analytics, logs, and natural language processing tools. Zimmermann’s scripts revealed 35 keys were exposed via frontend code injection, while 4 more surfaced through Git history audits. Affected projects included Home Assistant (85k GitHub stars) and KEDA, a CNCF Kubernetes project. Zimmermann emphasized that even search-only keys should never be exposed, as attackers could manipulate search results or delete critical data.

Algolia’s DocSearch program provides search-only keys, but many sites mistakenly use admin credentials in their frontend configurations. Zimmermann noted Algolia’s own documentation warns against this practice, yet the issue persists at scale. SUSE/Rancher and Home Assistant responded by rotating keys, but Zimmermann’s full list remains active. He emailed Algolia directly with findings, but no response has been received.

The breach highlights a systemic misconfiguration problem. Zimmermann’s tools, including TruffleHog and custom regex scripts, demonstrated how easily credentials leak when developers misuse API keys. Fixing the issue requires auditing frontend code for accidental admin key exposure. Zimmermann’s report serves as a wake-up call for open-source maintainers to rigorously review embedded credentials.