What is Gmap-Api key?
An API key is a unique identifier. Each time that you use the Google Maps API, you must include a key, or other credentials, to validate your request.
Target: https://www.newcold.com/
when I started to do recon the website. I found that the website was using gmap with the help of wappalyzer.
After visiting all the pages I found the google maps in the website.I went to see the page source. Using find option I searched for Keyword “api”.
It was listing about 15 matches.I went through one-by-one
The gmap api key was found at the 13 th match.
Copied that key and opened googlekey.blindf.com to check it is vulnerable or not.
It listed some methods to exploit the key.
I chosen the third one to exploit.Copied the html code and pasted it in the html file name POC.
When I opened it in the browser.I got the google map in my page.
Impact:
- costing companies extra money and in some cases DOS. Identifies cost: $5 per 1000 request.
- Any person can use this API key for their own use.
Reference :
https://hackerone.com/reports/724039
https://hackerone.com/reports/1065041
Reported through : zerocopter,
Severity level : Medium,
status : Resolved.
Thanks for reading Hope You guys enjoyed it!
Happy Hacking!
