Improper Access Control in xamarin/googleplayservicescomponents
Reported on
May 22nd 2021
✍️ Description
Google Maps API key without proper referer restrictions is found in your repo. It can be embeded to anyone's website and if the billing account is active, it will incur charges on your account.
🕵️♂️ Proof of Concept
Visit the following links to verify that you can use the service by visiting them:
(1) https://maps.googleapis.com/maps/api/place/findplacefromtext/json?input=Museum%20of%20Contemporary%20Art%20Australia&inputtype=textquery&fields=photos,formatted_address,name,rating,opening_hours,geometry&key=AIzaSyCfJp9rrUEaA07vdoGvGQgJqm0Fa9cJGiw Link-1
(2) https://maps.googleapis.com/maps/api/place/autocomplete/json?input=Bingh&types=%28cities%29&key=AIzaSyCfJp9rrUEaA07vdoGvGQgJqm0Fa9cJGiw Link-2
(3) https://maps.googleapis.com/maps/api/place/details/json?place_id=ChIJN1t_tDeuEmsRUsoyG83frY4&fields=name,rating,formatted_phone_number&key=AIzaSyCfJp9rrUEaA07vdoGvGQgJqm0Fa9cJGiw Link-3
(4) https://maps.googleapis.com/maps/api/place/textsearch/json?query=restaurants+in+Sydney&key=AIzaSyCfJp9rrUEaA07vdoGvGQgJqm0Fa9cJGiw Link-4
(5) https://lh4.googleusercontent.com/-1wzlVdxiW14/USSFZnhNqxI/AAAAAAAABGw/YpdANqaoGh4/s1600-w400/Google%2BSydney Link-5
and other services.
However with the proper restrictions, it should return a Forbidden error.
Unrestricted Services :-
- Find Place From Text || $17 per 1000 elements
- Autocomplete || $2.83 per 1000 requests
- Autocomplete Per Session || $17 per 1000 requests
- Place Details || $17 per 1000 requests
- Nearby Search-Places || $32 per 1000 requests
- Text Search-Places || $32 per 1000 requests
- Places Photo || $7 per 1000 requests
💥 Impact
Attacker is able to consume your daily free quota , charge your account and then abuse your key for their usage.
Old key has been deleted and should no longer be accessible, all url's in the report now return request denied or key expired.
