Improper Access Control in ChestnutTechno/PainDiary

Valid
Reported on May 18th 2021

✍️ Description

Google Maps API key without proper referer restrictions is found in the repo. It can be embeded to anyone's website and if the billing account is active, it will incur charges on your account.

🕵️‍♂️ Proof of Concept

Visit this link to verify that you can use the service by visiting the following link: Vulnerable API POC Link

However with the proper restrictions, it should return a Forbidden error.

💥 Impact

Attacker is able to consume your daily free quota of 100, charge your account and then abuse your key for their usage.