Improper Access Control in OpenSprinkler/OpenSprinkler-App

Valid
Reported on May 21st 2021

✍️ Description

Google Maps API key without proper referer restrictions is found in your repo. It can be embeded to anyone's website and if the billing account is active, it will incur charges on your account.

🕵️‍♂️ Proof of Concept

Visit the following links to verify that even without proper Referer Headers you can use the services:

  • https://maps.googleapis.com/maps/api/geocode/json?latlng=40,30&key=AIzaSyDaT_HTZwFojXmvYIhwWudK00vFXzMmOKc
  • https://maps.googleapis.com/maps/api/place/findplacefromtext/json?input=Museum%20of%20Contemporary%20Art%20Australia&inputtype=textquery&fields=photos,formatted_address,name,rating,opening_hours,geometry&key=AIzaSyDaT_HTZwFojXmvYIhwWudK00vFXzMmOKc
  • https://maps.googleapis.com/maps/api/place/autocomplete/json?input=Bingh&types=%28cities%29&key=AIzaSyDaT_HTZwFojXmvYIhwWudK00vFXzMmOKc
  • https://www.googleapis.com/geolocation/v1/geolocate?key=AIzaSyDaT_HTZwFojXmvYIhwWudK00vFXzMmOKc
  • https://maps.googleapis.com/maps/api/place/details/json?place_id=ChIJN1t_tDeuEmsRUsoyG83frY4&fields=name,rating,formatted_phone_number&key=AIzaSyDaT_HTZwFojXmvYIhwWudK00vFXzMmOKc
  • https://maps.googleapis.com/maps/api/place/nearbysearch/json?location=-33.8670522,151.1957362&radius=100&types=food&name=harbour&key=AIzaSyDaT_HTZwFojXmvYIhwWudK00vFXzMmOKc

However with the proper restrictions, it should return a Forbidden error.

Impacted Services:

  • Geocode : $5 per 1000 requests
  • Find Place From Text : $17 per 1000 elements
  • Autocomplete : $2.83 per 1000 requests
  • Autocomplete Per Session : $17 per 1000 requests
  • Geolocation : $5 per 1000 requests
  • Place Details : $17 per 1000 requests
  • Nearby Search-Places : $32 per 1000 requests
  • Text Search-Places : $32 per 1000 requests
  • Places Photo : $7 per 1000 requests

💥 Impact

Attacker is able to abuse your API key. If billing is enabled in your profile, attackers can use your key while your account gets charged.