λ python maps_api_scanner.py Please enter the Google Maps API key you wanted to test: AIzaSyD6VRivTWso8Xt0dpuKql4ki6kXfUo9X5A API key is vulnerable for Staticmap API! Here is the PoC link which can be used directly via browser: https://maps.googleapis.com/maps/api/staticmap?center=45%2C10&zoom=7&size=400x400&key=AIzaSyD6VRivTWso8Xt0dpuKql4ki6kXfUo9X5A API key is not vulnerable for Staticmap API. Reason: b'The Google Maps Platform server rejected your request. This API project is not authorized to use this API.' API key is not vulnerable for Directions API. Reason: This API project is not authorized to use this API. API key is vulnerable for Geocode API! Here is the PoC link which can be used directly via browser: https://maps.googleapis.com/maps/api/geocode/json?latlng=40,30&key=AIzaSyD6VRivTWso8Xt0dpuKql4ki6kXfUo9X5A API key is not vulnerable for Distance Matrix API. Reason: This API project is not authorized to use this API. API key is not vulnerable for Find Place From Text API. Reason: This API project is not authorized to use this API. API key is not vulnerable for Autocomplete API. Reason: This API project is not authorized to use this API. API key is not vulnerable for Elevation API. Reason: This API project is not authorized to use this API. API key is not vulnerable for Timezone API. Reason: This API project is not authorized to use this API. API key is not vulnerable for Nearest Roads API. Reason: Roads API has not been used in project 6518302203 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/roads.googleapis.com/overview?project=6518302203 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry. API key is vulnerable for Geolocation API! Here is the PoC curl command which can be used from terminal: curl -i -s -k -X $'POST' -H $'Host: www.googleapis.com' -H $'Content-Length: 22' --data-binary $'{"considerIp": "true"}' $'https://www.googleapis.com/geolocation/v1/geolocate?key=AIzaSyD6VRivTWso8Xt0dpuKql4ki6kXfUo9X5A' API key is not vulnerable for Route to Traveled API. Reason: Roads API has not been used in project 6518302203 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/roads.googleapis.com/overview?project=6518302203 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry. API key is not vulnerable for Speed Limit-Roads API. Reason: Roads API has not been used in project 6518302203 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/roads.googleapis.com/overview?project=6518302203 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry. API key is not vulnerable for Place Details API. Reason: This API project is not authorized to use this API. API key is not vulnerable for Nearby Search-Places API. Reason: This API project is not authorized to use this API. API key is not vulnerable for Text Search-Places API. Reason: This API project is not authorized to use this API. API key is not vulnerable for Places Photo API. Reason: Verbose responses are not enabled for this API, cannot determine the reason. API key is not vulnerable for FCM API. Reason: INVALID_KEY_TYPE ------------------------------------------------------------- Results || Cost Table/Reference to Exploit: ------------------------------------------------------------- - Staticmap || $2 per 1000 requests - Geocode || $5 per 1000 requests - Geolocation || $5 per 1000 requests ------------------------------------------------------------- Reference for up-to-date pricing: https://cloud.google.com/maps-platform/pricing https://developers.google.com/maps/billing/gmp-billing Do you want to conduct tests for Javascript API? (Will need manual confirmation + file creation) (Y/N)n Operation is over. Thanks for using G-Maps API Scanner!
总结: xx-Potential Google Map API Misuse Vulnerability Can cause API resource damage and financial damage
危害:
Impact Business Impact: Attackers can exploit the captured Google Maps API key belonging to by xx APP making unauthorized calls to its Google Maps API quota. This malicious activity can lead to the theft and exhaustion of the API quota, causing issues such as abnormal map loading, inability to use location services, and ultimately degrading the user experience once the quota is fully consumed. Severity: If the API key is not properly restricted, it means that security measures have not been adequately implemented to limit the access and usage of the key to authorized users or services only. This leaves the API key vulnerable to misuse, including but not limited to being captured and abused by attackers, resulting in unauthorized access and potentially harmful consequences like exhausting the API quota or causing service disruptions.