How I reported Google Map API key leak

-

 Hello Folks,  Sourav from this side. Hope you all are in a great health and doing awesome. I am security enthusiast and bug bounty hunter from India. Today I will discuss about one of report where I reported GMap API key leak to a Bugcrowd's private program.


So let's get started without wasting any time...

So I was hunting on a private program and for the sake of this blog we will use example.com as I am not allowed to disclose the name of the website. 

During my recon process I got a lots of different subdomain for example.coma and one of them was event.example.com. I started traversing the host to look for different functionalities. I usually do the view-source of almost every page. Suddenly this particular view-source page caught my eyes -




Now the above script tag is revealing the Google Map API key. 

Tip - Whenever you get an API key and you don't know how to use it. Follow this awesome repository.


GMap API key leaks... Does it matter??

First of all let me tell you something not all API keys reveals sensitive information but still they have some security impact which we will discuss.

Now if your Google Maps API keys is not restricted properly than someone with API key can make unauthorized calls . So someone can embed your API keys on their project like this -



Here I can use the API keys to make request with Staticmap API. 

I also tried to the API keys with other GMap APIs like Google Place API but they were properly restricted for unauthorized use -



It is strictly recommended that you should restrict your API key to prevent unauthorized use of your API key. For info about restricting Gmap API key Visit.

Tip - When testing the key and key is restricted in one service like Google Place. Try it in all of other service. Like in my case it is not restricted in Staticmap API.

Fine....But what's the impact??

Okay this is not revealing any sensitive data about the victim. But someone having your API key can increase your Bill. For more info on pricing chart for Google Maps APIs see here.
So basically unauthorized user can consume the company's monthly quota and do financial damage if the company don't have any limitation settings on the budget.


There is one thing, Companies can implement a cap on their monthly quote of API calls. For more info  on cap see here

But since there is a limitation present on the API calls than in this case we  can trigger DoS attack. This will hamper the services of the websites which were using Google Maps and hence will hamper User Experience.


That's all for today Folks. You can send and feedback on my LinkedIN or just send a hi.

Till then...

Stay Hydrated and Keep Hacking!!




Comments

Post a Comment

Popular posts from this blog

Hacking wordpress websites via xmlrpc.php

-
Image
  Hello Folks, Sourav from this side. Hope you are doing awesome on the other side of the screen. I am security enthusiast and bug bounty hunter from India. In this article we will discuss about xmlrpc.php in wordpress websites by leveraging which an attacker can attack wordpress websites. So let's get started without wasting much time!! What the heck is xmlrpc.php?? If you guys don't know about xmlrpc.php than please read it about here . But in short xmlrpc.php is a simple, portable way to make remote procedure calls over HTTP. Wordpress, Drupal and most content management system supports XML-RPC. The core features that xmlrpc enabled were allowing you to connect your via smartphone, implementing tracbacks and pingacks from other sites.  Note - XML-RPC is enabled y default in all of the versions of wordpress. Let's move on with the story..... Since I am not allowed to disclose the name of the website that's why we will use example.com for the sake of this article. So f
Read more

How I accidentally found Sensitive data exposure!!

-
Image
  Hello folks, This is Sourav. Hope you are doing awesome on the other side of the screen. I am     security enthusiast and a bug bounty hunter from India. Today I will discuss How I accidentally found a sensitive data exposure during my recon. Okay folks let's get started without wasting any time... One fine day I was looking for some premium themes for wordpress websites and that's how I landed upon a website which provides all kinds Web Development solutions. Since I am not allowed to reveal the name of the website so will take example.com for the sake of this writeup. I don't know what came into me but I thought, let's see how secure is a website itself who provides web development solutions to others. If the website is itself safe enough ?? Let's find out.............. I quickly run amass on example.com and started traversing the application to see how it works. Than I noticed that amass quickly completed its operation. So quickly I took a look at amass outp
Read more

Stories of Pre-Account Takeover

-
Image
Hello Folks, this is Sourav. Hope you are doing well on the other side of the screen. I am a security enthusiast and bug bounty hunter from India. In this blog I will discuss some of my findings on Pre-Account Takeovers. So let's start without wasting much time : What is Pre-Account Takeover?? Pre-Account Takeover is a case of Account Takeover where the attacker has access to the victim's account prior to the victim's registration and then the can observe the victim's actions on the account. So one fine day I started testing the targets for Pre-Account takeovers. So the Pre-Account Takeovers we are discussing in this blog is due to "Improper Oauth Implementation" So you folks might have seen cases where : The website is not verifying the email ID after registration. The website is providing login via 3rd party applications like "Login with Google". Now let's see two slightly different cases which I observed during in the wild - Case 1 In this cas
Read more