Improper Access Control in xamarin/googleplayservicescomponents


Reported on

May 22nd 2021

✍️ Description

Google Maps API key without proper referer restrictions is found in your repo. It can be embeded to anyone's website and if the billing account is active, it will incur charges on your account.

🕵️‍♂️ Proof of Concept

Visit the following links to verify that you can use the service by visiting them:

(1),formatted_address,name,rating,opening_hours,geometry&key=AIzaSyCfJp9rrUEaA07vdoGvGQgJqm0Fa9cJGiw Link-1

(2) Link-2

(3),rating,formatted_phone_number&key=AIzaSyCfJp9rrUEaA07vdoGvGQgJqm0Fa9cJGiw Link-3

(4) Link-4

(5) Link-5

and other services.

However with the proper restrictions, it should return a Forbidden error.

Unrestricted Services :-

  • Find Place From Text || $17 per 1000 elements
  • Autocomplete || $2.83 per 1000 requests
  • Autocomplete Per Session || $17 per 1000 requests
  • Place Details || $17 per 1000 requests
  • Nearby Search-Places || $32 per 1000 requests
  • Text Search-Places || $32 per 1000 requests
  • Places Photo || $7 per 1000 requests

💥 Impact

Attacker is able to consume your daily free quota , charge your account and then abuse your key for their usage.

Jonathan Dick
3 years ago

Old key has been deleted and should no longer be accessible, all url's in the report now return request denied or key expired.

3 years ago


Awesome! Thanks for fixing the issue.

to join this conversation