New issue
Advanced search Search tips

Issue 888228 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Sep 24
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Stealing API Key from google or any other site using Maps embed API

Reported by deepb...@gmail.com, Sep 22 
Hi Google,

Users can still google's or any other website's (who is using Maps Embed API) API key using browser browser console. Please find below the steps to reproduce it.
1) Go to this example link: https://developers.google.com/maps/documentation/embed/guide#directions_mode

2)Press F12 or Ctrl+Shift+I and to access browser console and inspect the direction mode iFrame.

You can see the URL google is using(https://www.google.com/maps/embed/v1/directions?key=AIzaSyD4iE2xVSpkLLOXoyqTRuPwURN3ddScAI&origin=Oslo+Norway&destination=Telemark+Norway&avoid=tolls|highways)

Now anyone can takeout your API key(which is "AIzaSyD4iE2xVSpkLLOXoyqTRuPwURN3ddScAI") and misuse it.

Comment 1 by deepb...@gmail.com, Sep 22 

I am sorry there is a spelling mistake in the first line: Users can "steal" google's ....

Comment 2 by mbarbe...@chromium.org, Sep 24

Status: WontFix (was: Unconfirmed)
Though the implementation of the API doesn't seem ideal (I'm not familiar with the design decisions that led to it being used in this way), there's not much that can be done about it from the chrome side of things. Even if chrome's developer tools didn't show this, a dedicated attacker could get access to the API key using other tools.
Project Member

Comment 3 by sheriffbot@chromium.org, Jan 1

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment