Improper Access Control in causefx/Organizr

Valid
Reported on May 24th 2021

✍️ Description

Google Maps API key without proper referer restrictions is found in your repo. It can be embeded to anyone's website and if the billing account is active, it will incur charges on your account.

🕵️‍♂️ Proof of Concept

Visit the following link to verify that you can use the service with the key as below:

(1) https://maps.googleapis.com/maps/api/geocode/json?latlng=40,30&key=AIzaSyBsdt8nLJRMTwOq5PY5A5GLZ2q7scgn01w Link-1

However with the proper restrictions, it should return a Forbidden error.

Unrestricted Services :-

  • Geocode || $5 per 1000 requests

💥 Impact

Attacker is able to consume your daily free quota , charge your account and then abuse your key for their usage.