Manager: Hey fullstackchris, the maps widget on our app stopped working recently...

Dev: (Skeptical, little did he know) Sigh... probably didn't raise quota or something stupid... Logs on to google cloud console to check it out...

Google Dashboard: Your bill.... $5,197 (!!!!!!) Payment method declined (you think?!)

Dev: 😱 WTF!?!?!! (Calls managers) Uh, we have HUGE problem, charges for $5000+ in our google account, did you guys remove the quota limits or not see any limit reached warnings!?

Managers: Uh, we didn't even know that an API could cost money, besides, we never check that email account!

Dev: 🤦‍♂️ yeah obviously you get charged, especially when there have literally been millions of requests. Anyway, the bigger question is where or how our key got leaked. Somewhat started hammering one of the google APIs with one of our keys (Proceeds to hunt for usages of said API key in the codebase)

Dev: (sweating 😰) did I expose an API key somewhere? Man, I hope it's not my fault...

Terminal: grep results in, CMS codebase!

Dev: ah, what do we have here, app.config, seems fine.... wait, why did they expose it to a PUBLIC endpoint?!

Long story short:

The previous consulting goons put our Angular CMS JSON config on a publicly accessible endpoint.



Though I'm relieved it wasn't my fault, my faith in humanity is still somewhat diminished. 🤷‍♂️

Oh, and it's only Monday. 😎


  • 11
    Oh for fucks sake.
    Well at least it's not your fault xD
    How hard is it to not be stoopid?
    Answer: pretty hard apparently...
  • 5
    Fun times!

  • 15
    you just know the deadbeat consultants left it there so your company would call them again is something stopped working.

    Besides working for like 10 mins and billing for 20 urgent hours, the consults would also say "we fixed a vulnerability and optimized your API requests, you should pay us extra for reducing your costs".
  • 8
    I haven't used gmaps in a while but aren't you supposed to whitelist your domain? So even if someone gets the key it's useless? Or is this some other type of key you're talking about?
  • 5
    @ars1 This also would have been prudent by said consulting goons. Of course they set no such restrictions on the key.
  • 4
    If I understand this correctly, the Google maps API key is or can be mapped to your domain name and prevent misuse
  • 2
    These consultant guys should be sued for damages inflicted
  • 2
    BTW pro tip for anyone who sees this, Google typically offers a one time forgiveness for uncoordinated-typical-management-fail scenarios like these. They refunded our debt completely. 👍❤️
  • 1
    @fullstackclown But they were clear it would only be this one time! Then its up to you to implement standard security practices.
  • 0
Add Comment