Bug Bounty Write up - API Key Disclosure - Google Maps
Google API Keys
Vedant Roy
8/4/20241 min read
Google Map API key is a category P4 or Low severity vulnerability that are mostly found in web applications using the google map services.
The potential exploit is the explicit use of API key that is used to authenticate the script for using the service, so in case it is visible publicly in the web page source code or underlying JS files it can be recorded and used by an attacker for its own use or sell over to someone else.
The misuse of such a resource can result in financial loss of the website Owner/Company as google charges according to the number of requests made while authenticating the service using the key.
Steps to find the vulnerability:
API Keys or google map key are sometimes leaked in the Website’s JS files or source code of the front end. So to find such kind of information over a thousand of lines of code manually can be a tedious and time consuming task. So I use the following tools to find keys or any such related secrets.
1. Nuclei Template — Basic detections — It is one of best open source tool for vulnerability scanning and finding low hanging fruits. Since it is entirely based on templates for categorization, the template for finding generic keys, map keys or any other basic detection.
The following command is used for a list of subdomains:
nuclei -l subdomains.txt -t basic-detections
More details can be found in Nuclei Github page — Nuclei
2. Subdomainizer — This tool is used to find secrets and hashed strings on JS files. It can used as an alternative for nuclei basic detentions template.
The following command can be used to find secrets for a list of subdomains.
The following Hackerone report can be used to find more insights — Hackerone report
Resources:
I have not added the installation steps, the same can be found in their respective Github pages. Mostly such vulnerabilities can go under informational severity which results in no payout and sometimes duplicates.