Cracking the UN Code: How I Exposed a Leaky Google Maps API Key and Entered the Hall of Fame

1 year ago 87
BOOK THIS SPACE FOR AD
ARTICLE AD

Imagine casually browsing the web, only to stumble upon a major security flaw on a United Nations (UN) website. Seems like the stuff of fiction, right? Well, that’s precisely what happened to me, and today, I’m sharing my exhilarating journey of how I found a “leaked Google Maps API key” on a UN site and ended up in their Hall of Fame. So, buckle up and enjoy this rollercoaster ride of discovery, vulnerability reporting, and recognition!

It all started with a routine exploration of the UN website. As a cybersecurity enthusiast, I often spend my free time hunting for bugs and vulnerabilities, just for the thrill of it. I navigated through several pages, analyzing source codes and inspecting various elements. It was then that I spotted the Google Maps API key, in plain sight, within the site’s source code.

For those who may not know, an API key is a unique identifier that grants developers access to specific functionalities or services, in this case, Google Maps. A leaked API key poses a significant security risk, as it can be exploited by malicious actors to access sensitive information or even rack up substantial costs on the owner’s account.

Knowing the potential consequences of such a bug, I felt compelled to report the issue to the UN as soon as possible. I followed their vulnerability disclosure process and submitted a detailed report, including information on the affected website, a step-by-step reproduction of the bug, and the potential consequences of leaving the vulnerability unpatched.

Issue

By intercepting and going through the request I made from https://<Redacted.com>, I found that the google map API key is leaking through the source code. I am able to validate that the leaked key is a valid one.

Vulnerable Domain: https://<Redacted.com>
Affected JS leaking API:
- https://<Redacted.com>/xyz.js

Steps to reproduce:

1. Copy the API key: <key>
2. Visit the following URI to verify:
https://maps.googleapis.com/maps/api/directions/json?origin=Disneyland&destination
=Universal+Studios+Hollywood4&key=<key>

Impact

The potential exploit is the explicit use of the API key that is used to authenticate the script for using the service, so in case it is visible publicly in the web page source code or underlying JS files can be recorded and used by an attacker for its own use or sold over to someone else.

The misuse of such a resource can result in financial loss for the website Owner/Company as Google charges according to the number of requests made while authenticating the service using the key.
I have also provided the cost of misuse below:

The API can be misused for the following functionalities:
1. Directions API
2. Geocode API
3. Distance Matrix API
4. Find Place From Text API
5. Autocomplete API
6. Elevation API
7. Place Details API
8. Nearby Search-Places API
9. Text Search-Places API
10. Places Photo API
11. Query Autocomplete-Places API

Fix

Restrict your API keys to be used by only the IP addresses, referrer URLs, and mobile apps that need them. Go to the Google API Console and generate a key, restricting it to URLs that you own (or want to put maps on) to prevent quota “theft”.

To my delight, the UN responded promptly, acknowledging my findings and expressing their gratitude. They informed me that their team was working on fixing the vulnerability and assured me they would keep me updated on the progress. Within a few days, the issue was resolved, and the leaked Google Maps API key was no longer accessible to the public.

As a token of appreciation, the UN added my name to their esteemed Hall of Fame — a list of individuals who have contributed to improving the organization’s cybersecurity. To say I was honored would be an understatement. It was a surreal moment, knowing that my passion for cybersecurity had not only made an impact but also earned me recognition on such a prestigious platform.

This experience has taught me invaluable lessons about the importance of constant vigilance in today’s digital world. It also serves as a reminder that anyone, regardless of their background or expertise, can contribute to making the internet a safer place.

My journey doesn’t end here. I plan to continue honing my skills and seeking out new challenges in the realm of cybersecurity. Who knows what the next adventure might hold? But for now, I revel in the excitement of having made a difference and encourage others to join me in the quest for a more secure digital landscape.

And that, dear reader, is the story of how I cracked the UN code, exposed a leaked Google Maps API key, and landed a spot in their Hall of Fame. I hope my tale inspires you to venture into the fascinating world of cybersecurity and make your own mark on the ever-evolving digital frontier.

Read Entire Article