Improper Access Control in teamultroid/ultroid

Valid

Reported on

May 21st 2021


โœ๏ธ Description

Google Maps API key without proper referer restrictions is found in your repo. It can be embeded to anyone's website and if the billing account is active, it will incur charges on your account.

๐Ÿ•ต๏ธโ€โ™‚๏ธ Proof of Concept

Visit this link to verify that you can use the service by visiting the following link: Vulnerable API POC Link

However with the proper restrictions, it should return a Forbidden error.

Unrestricted Services:

  • customsearch || $5 per 1000 requests

๐Ÿ’ฅ Impact

Attacker is able to abuse your API key. If billing is enabled in your profile, attackers can use your key while your account gets charged.

Aditya
a year ago

Maintainer


We use no "Google Maps API key", and there is no such API key open in the repo.

novik8989
a year ago

Researcher


For the key "AIzaSyAyDBsY3WRtB5YPC6aB_w8JAy6ZdXNc6FU", the Google Maps API is enabled.

Error
a year ago

We are not using Google Maps API You should jusT check first before raising a issue!

Sฯฮนโˆ‚ัƒ
a year ago

Ok Say Where it is used

Sฯฮนโˆ‚ัƒ
a year ago

Sorry About this We Will Fix it Soon ๐Ÿ˜–

Aditya
a year ago

Maintainer


Thanks for notifying. We've managed to patch it.

novik8989
a year ago

Researcher


Thanks for fixing the issue!

to join this conversation