Security Experts:

Connect with us

Hi, what are you looking for?



Search Company Algolia Hacked via Recent Salt Vulnerabilities

A couple of Salt vulnerabilities addressed last week were abused over the weekend to hack Algolia’s infrastructure, the search-as-a-service startup revealed.

A couple of Salt vulnerabilities addressed last week were abused over the weekend to hack Algolia’s infrastructure, the search-as-a-service startup revealed.

An open-source configuration tool designed for monitoring and updating the state of servers deployed in datacenters and in the cloud, Salt was recently found to be impacted by two issues that could allow attackers to execute arbitrary commands.

Tracked as CVE-2020-11651 and CVE-2020-11652 and considered critical (CVE-2020-11651 has a CVSS score of 10), the vulnerabilities were patched last week. F-Secure, the security firm that discovered the flaws, warned that they require immediate attention: “Patch by Friday or compromised by Monday,” they said.

The vulnerability only occurs if the Salt master (the central server to which “minions” connect) is exposed to the Internet. A week ago, there were roughly 6,000 instances of exposed Salt masters (Salt Master versions 2019.2.3 and Salt 3000 versions 3000.1 and earlier).

Attackers wasted no time and the first assaults targeting the critical vulnerability were launched over the weekend. LineageOS, Ghost and DigiCert were among the first to have confirmed compromises, but were not the only ones.

U.S. startup Algolia, which offers a web search product through a SaaS (Search-as-a-Service) model to more than 9,000 customers, this week revealed that it too was hit via the Salt vulnerability over the weekend.

Abusing CVE-2020-11651, hackers managed to install both a cryptocurrency miner and a backdoor on multiple Algolia servers. The attack took place on May 3 and more than 500 of the company’s servers were impacted, most of them temporarily losing indexing service, with some also losing search capabilities.

During the incident, Algolia says, roughly 2% of its servers were impacted by a search downtime longer than 5 minutes, and less than 1% were impacted by a search downtime longer than 10 minutes.

The company was able to immediately shut down the configuration manager involved in the incident, removed the malware, and then restored files back to their original state. The last impacted server was rebooted seven hours after the initial attack alert was triggered.

According to Algolia, analysis of the payloads executed during the attack has revealed that the only goal of the threat actor behind the assault was to mine cryptocurrencies, “and not to collect, alter, destroy or damage data”.

The company says it has already taken steps to ensure similar incidents won’t happen again, including updating the SaltStack service, changing security keys, and restricting access keys to specific IPs of servers, and it plans to implement additional security measures as well.

“Clients who have followed fundamental internet security guidelines and best practices are not affected by this vulnerability. […] Although there was no initial evidence that the CVE had been exploited, we have confirmed that some vulnerable, unpatched systems have been accessed by unauthorized users since the release of the patches,” Alex Peay, SVP of product and marketing at SaltStack, said in an emailed statement earlier this week.

“We must reinforce how critical it is that all Salt users patch their systems and follow the guidance we have provided outlining steps for remediation and best practices for Salt environment security. It is equally important to upgrade to latest versions of the platform and register with support for future awareness of any possible issues and remediations,” Peay also said.

Related: Recent Salt Vulnerabilities Exploited to Hack LineageOS, Ghost, DigiCert Servers

Related: Critical Vulnerability in Salt Requires Immediate Patching

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.