Google Maps API Key

The application's Google Maps API key lacks proper security configuration, which means that any user with access to the key can issue unauthorized requests to the Google Maps platform. This could result in financial costs to the victim if a large number of requests are submitted to the API endpoints, and in a worst-case scenario, it could even lead to a Denial of Service of the mapping function in the application. While there is no direct impact on the application itself, it is recommended to restrict the usage of the key as per the "API key best practices"

Since there is no direct impact on the application itself, this finding is set as a recommendation.

For reference, please see: https://developers.google.com/maps/api-key-best-practices#restrict_apikey

I tend to use the Google Maps API Scanner when playing around with this API key! A great scanner to find which places the API key has access to. This is how the results table will look like. Depending on how many resources the API key may access, the results table may vary in content.

Google Maps API Scanner

Impact

A large number of requests sent to the API endpoint by a malicious actor can inflate the costs associated with the account used for the Google Maps Platform service. If there is a configured limit for a maximum billable amount in the account associated with the API key, it might even result in a Denial of Service. Therefore, it is important to restrict API keys with application and API restrictions to prevent unauthorized use and charges.

Proof Of Concept

I've noted that API keys tend to start with these characters AIzaSy followed by a bunch of other random characters. Because i am unsure if all API keys start with these characters, i have saved all the custom parameters i have seen that contains the API key

Parameters containing API keys

These parameters can take different names depending on the Developer/Administrator. The parameters I have seen containing the API keys are as follows:

key
mapApiKey
gmaps_api_key
GOOGLE_API_KEY
window.googleMapApiKey
landingPageGoogleMapsAPIKey

Curl Syntax

Note how the grep will search for AIzaSy specifically followed by any small letters, capital letters, any integers as well as any underscore and dash. So far, these are the only characters in a Google API key that I've found

curl -sk https://example.com/ | grep -oP "AIzaSy[a-zA-Z0-9_-]+"

Prove the API key works

When you've found a Google API Key, change <API_KEY> to the found API Key. If it's invalid, the GoogleAPI will tell you, but if it's correct, it will show a picture:

https://maps.googleapis.com/maps/api/streetview?size=400x400&location=35.7040744,139.5577317&fov=100&heading=285&pitch=0&key=<API_KEY>

Remember that there are other URLs that can be used for API key verification. This is because when the API-key was bought, they receive certain permissions. With the Google API key scanner, you'll receive even more URLs to test with.

Invalid Google API key

Invalid Google API key

Valid Google API key

Valid Google API key