Improper Access Control in openwhyd/openwhyd

Valid
Reported on May 24th 2021

✍️ Description

Youtube API key without proper referer restrictions is found in your repo. It can be embeded to anyone's website and if the billing account is active, it will incur charges on your account.

🕵️‍♂️ Proof of Concept

Visit following link to verify anyone can access the api key:

https://www.googleapis.com/youtube/v3/search?part=snippet&q=YouTube+Data+API&type=video&key=AIzaSyCAZvC5tsGWWA2I2cKKsbfaqjwtXfr4bmg

Attacker can abuse the key to quota exceed and cause the billing if enabled. However with the proper restrictions, it should return a Forbidden error.

💥 Impact

Attacker is able to abuse your API key. If billing is enabled in your profile, attackers can use your key while your account gets charged.