Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
Oh for fucks sake.
Well at least it's not your fault xD
How hard is it to not be stoopid?
Answer: pretty hard apparently... -
JsonBoa30123yyou just know the deadbeat consultants left it there so your company would call them again is something stopped working.
Besides working for like 10 mins and billing for 20 urgent hours, the consults would also say "we fixed a vulnerability and optimized your API requests, you should pay us extra for reducing your costs". -
ars140743yI haven't used gmaps in a while but aren't you supposed to whitelist your domain? So even if someone gets the key it's useless? Or is this some other type of key you're talking about?
-
@ars1 This also would have been prudent by said consulting goons. Of course they set no such restrictions on the key.
-
greatidea93yIf I understand this correctly, the Google maps API key is or can be mapped to your domain name and prevent misuse
-
BTW pro tip for anyone who sees this, Google typically offers a one time forgiveness for uncoordinated-typical-management-fail scenarios like these. They refunded our debt completely. 👍❤️
-
@fullstackclown But they were clear it would only be this one time! Then its up to you to implement standard security practices.
-
Fransen1681dYeah, it’s real—$5,197 to be exact. I’m not even sure how we missed the quota limits or any alerts. We might’ve had the alerts set up wrong, or maybe we ignored the warnings in our inbox. Either way, this is a serious oversight, and we’ve got to figure out how to fix it. First, I’ll contact Google Cloud support and see if they can help with the billing issue. Meanwhile, we need to go through all of our configurations and put stricter limits in place to avoid this happening again. If we were using automated scaling without the right safeguards, we should’ve anticipated something like this. Also, it might be a good time to review our app architecture. Speaking of which, this guide on cloud application development https://jetbase.io/blog/... might give us some insight into how to better structure our cloud usage and avoid such costly surprises in the future. We need to be more proactive about managing our cloud resources from now on.
Related Rants
Storytime!
Manager: Hey fullstackchris, the maps widget on our app stopped working recently...
Dev: (Skeptical, little did he know) Sigh... probably didn't raise quota or something stupid... Logs on to google cloud console to check it out...
Google Dashboard: Your bill.... $5,197 (!!!!!!) Payment method declined (you think?!)
Dev: 😱 WTF!?!?!! (Calls managers) Uh, we have HUGE problem, charges for $5000+ in our google account, did you guys remove the quota limits or not see any limit reached warnings!?
Managers: Uh, we didn't even know that an API could cost money, besides, we never check that email account!
Dev: 🤦♂️ yeah obviously you get charged, especially when there have literally been millions of requests. Anyway, the bigger question is where or how our key got leaked. Somewhat started hammering one of the google APIs with one of our keys (Proceeds to hunt for usages of said API key in the codebase)
Dev: (sweating 😰) did I expose an API key somewhere? Man, I hope it's not my fault...
Terminal: grep results in, CMS codebase!
Dev: ah, what do we have here, app.config, seems fine.... wait, why did they expose it to a PUBLIC endpoint?!
Long story short:
The previous consulting goons put our Angular CMS JSON config on a publicly accessible endpoint.
WITH A GOOGLE MAPS API KEY.
JUST CHILLING IN PLAINTEXT.
Though I'm relieved it wasn't my fault, my faith in humanity is still somewhat diminished. 🤷♂️
Oh, and it's only Monday. 😎
Cheers!
rant
great monday
so smart
great start to week
what is security
consultants know best