Comment by charcircuit
3 days ago
Maps keys should not be made public otherwise an attacker can steal them and drain your wallet and use it for their own sites.
3 days ago
Maps keys should not be made public otherwise an attacker can steal them and drain your wallet and use it for their own sites.
Maps keys are always public in js on the website (but locked to use on certain domains). That’s how they work.
It is not actually locked to a site is just based off the host header. Which is public information an attacker can use to make the requests.
Sure, but the practical form of this attack is limited.
You can't maliciously embed it in a site you control to either steal map usage or run up their bill because other people's web browsers will send the correct host header.
That means you can use a botnet or similar to request it using a a script. But if you are botnetting Google will detect you very quickly.
1 reply →
Is there a way to use Google maps apis on the web without exposing the key?
Re host header seems an odd way for Google to do it, surely they would have fixed that by now? I guess not a huge problem as attackers would have to proxy traffic or something to obscure the host headers sent by real clients? Any links on how people exploit this?
3 replies →
It’s been years but I thought I recalled having to use the key but then also setting what sites it’d work on.
If an attacker can figure out what sites it can be used on, they can use the API.