Google map API Key Disclosure Vulnerability

Hello, Hacker! In this write-up, we are going to read about the Google Maps API key disclosure vulnerability. I hope you all will like this, and let’s get started. Let’s follow the WWH rule for a better understanding of our learning process. If you are new to my write-up, let me tell you what the WWH rule is. WWH (why, what, and how) is the rule I follow in order to learn new things. Let’s start with why.

Why do we have to learn about the Google API key, what we will learn from it, and how we are going to find this vulnerability? If don’t know what google map api key, It is a paid service that allows an application to embed with the Google Maps database and use it in their own application. Some developers forget to hide these API keys, which are misused by attackers.

An attacker can utilize the monthly quota of the API key, which can cause financial loss to the organization. In order to protect the organization from financial loss, we, the ethical hackers, play a role by reporting these vulnerabilities and getting them fixed. API key’s are something that can leak from the website's javascript file or the source code of the application.

The misuse of such a resource can result in financial loss for the website owner or company, as Google charges according to the number of requests made while authenticating the service using the key. Finding such API key’s in the code of thousands of lines is really very difficult. So what we should do is make it easy to find the API key in the source code of the application.

The answer is simple: we are going to use automated tools to make our job simpler. One of those tools is the nucleus template. How can we find this vulnerability? Observe every endpoint and source code of the application, whether the API key is visible or not. If you are able to find an API key, congratulations.

Recommendation: Don't disclose the API key in the source code of the application.