Improper Access Control in causefx/organizr
Reported on
May 24th 2021
✍️ Description
Google Maps API key without proper referer restrictions is found in your repo. It can be embeded to anyone's website and if the billing account is active, it will incur charges on your account.
🕵️♂️ Proof of Concept
Visit the following link to verify that you can use the service with the key as below:
(1) https://maps.googleapis.com/maps/api/geocode/json?latlng=40,30&key=AIzaSyBsdt8nLJRMTwOq5PY5A5GLZ2q7scgn01w Link-1
However with the proper restrictions, it should return a Forbidden error.
Unrestricted Services :-
- Geocode || $5 per 1000 requests
💥 Impact
Attacker is able to consume your daily free quota , charge your account and then abuse your key for their usage.
Occurrences
I have contacted the maintainer through a GitHub Issue. Awaiting a response from them.
I went ahead and locked the keys down to YouTube only - Also these keys have no billing attached to them.
Hello @causefx , the key is now restricted to google maps services. No billing attached to exposed key seems fair. However the abuse of YouTube API quota associated with this key is possible and can be prevented only if you restricted its allowed domains. You can verify that anyone can use the key like:
https://www.googleapis.com/youtube/v3/search?part=snippet&q=YouTube+Data+API&type=video&key=AIzaSyBsdt8nLJRMTwOq5PY5A5GLZ2q7scgn01w
This may result improper functionality of application. Being that said please qualify the issue as valid and patch it. Then you may select yourself as fixer since you patched the key. Thanks.