Improper Access Control in teamultroid/ultroid
May 21st 2021
Google Maps API key without proper referer restrictions is found in your repo. It can be embeded to anyone's website and if the billing account is active, it will incur charges on your account.
🕵️♂️ Proof of Concept
Visit this link to verify that you can use the service by visiting the following link: Vulnerable API POC Link
However with the proper restrictions, it should return a Forbidden error.
- customsearch || $5 per 1000 requests
Attacker is able to abuse your API key. If billing is enabled in your profile, attackers can use your key while your account gets charged.