61

Storytime!

Manager: Hey fullstackchris, the maps widget on our app stopped working recently...

Dev: (Skeptical, little did he know) Sigh... probably didn't raise quota or something stupid... Logs on to google cloud console to check it out...

Google Dashboard: Your bill.... $5,197 (!!!!!!) Payment method declined (you think?!)

Dev: 😱 WTF!?!?!! (Calls managers) Uh, we have HUGE problem, charges for $5000+ in our google account, did you guys remove the quota limits or not see any limit reached warnings!?

Managers: Uh, we didn't even know that an API could cost money, besides, we never check that email account!

Dev: 🤦‍♂️ yeah obviously you get charged, especially when there have literally been millions of requests. Anyway, the bigger question is where or how our key got leaked. Somewhat started hammering one of the google APIs with one of our keys (Proceeds to hunt for usages of said API key in the codebase)

Dev: (sweating 😰) did I expose an API key somewhere? Man, I hope it's not my fault...

Terminal: grep results in, CMS codebase!

Dev: ah, what do we have here, app.config, seems fine.... wait, why did they expose it to a PUBLIC endpoint?!

Long story short:

The previous consulting goons put our Angular CMS JSON config on a publicly accessible endpoint.

WITH A GOOGLE MAPS API KEY.

JUST CHILLING IN PLAINTEXT.

Though I'm relieved it wasn't my fault, my faith in humanity is still somewhat diminished. 🤷‍♂️

Oh, and it's only Monday. 😎

Cheers!

Comments
  • 7
    Oh for fucks sake.
    Well at least it's not your fault xD
    How hard is it to not be stoopid?
    Answer: pretty hard apparently...
  • 3
    Fun times!

    😁
  • 9
    you just know the deadbeat consultants left it there so your company would call them again is something stopped working.

    Besides working for like 10 mins and billing for 20 urgent hours, the consults would also say "we fixed a vulnerability and optimized your API requests, you should pay us extra for reducing your costs".
  • 4
    I haven't used gmaps in a while but aren't you supposed to whitelist your domain? So even if someone gets the key it's useless? Or is this some other type of key you're talking about?
  • 2
    @ars1 This also would have been prudent by said consulting goons. Of course they set no such restrictions on the key.
  • 0
    If I understand this correctly, the Google maps API key is or can be mapped to your domain name and prevent misuse
Add Comment