Improper Access Control in bramp/myip

Valid

Reported on

May 23rd 2021


✍️ Description

Google Maps API key is enabled without proper referer restrictions is found in your repo. It can be embeded to anyone's website and if the billing account is active, it will incur charges on your account. If Google Maps is not used in your project, then all the following APIs should be disabled for your key otherwise proper access control should be enforced to prevent its abuse by the attacker.

🕵️‍♂️ Proof of Concept

Visit this link to verify that its not protected with referrer restrictions.

https://maps.googleapis.com/maps/api/staticmap?center=45%2C10&zoom=7&size=400x400&key=AIzaSyA6-HIkxuJEX6Hf3rzVx07no32YM3N5V9s

However with the proper restrictions, it should return a Forbidden error.

Affected Services:

Staticmap -> $2 per 1000 requests

💥 Impact

Attacker is able to abuse your API key. If billing is enabled in your profile, attackers can use your key while your account gets charged.

Andrew Brampton
6 months ago

Maintainer


This issue was interesting, because this is actually working as designed. Google will limit requests to that URL based on the Referrer header. However, when you open a new browser window (to open the example link) you don't send a Referrer header, and Google actually lets you though.

To improve this, I switched to using the newer signature method, which means signing the URL server side.

novik8989
6 months ago

Researcher


Awesome! Thanks for fixing this issue so fast.