The use of a Google API Key can be restricted to a configurable set of host or domain names. But does this protect (ab)use of the key by others? Not really.
Two remarks upfront: First, I do not want to encourage anybody using someone else's API key. Of course not. But if you are a paying Google customer, you should be aware that Google actually cannot guarantee that the keys can only be used in a way intended by you.
Second, the problem is not specific to Google Maps. It is not even specific to Google services at all, since other service providers use the same logic. The Google Maps API is just a good example because it is used on so many websites.
How Is the Key Used?
<script src="https://maps.googleapis.com/maps/api/js?key=YOUR_KEY&libraries=places,geometry&callback=initAutocomplete" async defer></script>
The key is therefore not a secret. It is necessarily visible in the source code of the web page consuming the API.
And - very handy - it is trivial to collect these keys in large numbers
with any web crawler. You can even get a hint which parts of the
visualization) are usable with a
How Does the Protection Work?
You can configure a list of host and domain names that are allowed to
a specific API key. Using means that API requests are made from an origin
(a web page) hosted on an allowed host (name!).
know the origin of the page? It gets it from the
browser! And that means that the information is unreliable. For example users may
patch their browser's source code to supply wrong information.
But there is no need to patch your browser's source code and recompile it! There is a far easier way.
Most keys will be usable from the origin
to allow local development. It is definitely worth a try at least. So if you
run your own web application on
localhost (and you do, don't you?),
just about any API key you can find will do for you. That is the free
tier for development that Google does not offer.
But even if a key owner wants to be clever and creates a production key
that cannot be used with the loopback interface, there is no need to worry
for the abuser. You just edit your
And you are set again! Your local application is now hosted on
Why Not IP-Based Protection?
Think about it yourself for a second ...
And from Google's side, this also does not help. If you abuse the key
www.my-ex-employer.com locally, the API calls from your local
application are indistinguishable from legitimate calls coming from an
application hosted on the real IP of
Google can, of course, implement rate-limiting, and I am pretty sure they do. But that is just a litte band-aid and not a remedy.
But What Is the Benefit?
So you can develop a web app for your new project
using the Google Maps API key that you have taken from
www.my-ex-employer.com. But the fun is over, when you deploy the site
on the real IP of
www.alone-again.com. You personally can patch your browser,
or you can edit your
/etc/hosts but the visitors of your site will not, and
the API calls will fail.
Yes, true, but not completely. You can simply proxy the requests through your own server and you are done. Writing such a little proxy with Express should be a piece of cake for an average web developer.
The Legal Situation (in Germany)
Using other people's keys is probably against Google's terms and conditions for their maps service. But does it matter? No! An attacker can use the API without accepting Google's terms and conditions. A contract not made cannot be breached.
But can the victim hold the attacker liable for the damage? Every API call has to be paid for and so there can be a substantial damage.
That would be the case if the attacker acts illegally, in other words, if a contract or law was broken.
The attacker neither has a contract with Google nor with the victim. But was a law broken? In Germany, there is a law against so-called computer fraud that sanctionizes use of invalid or incomplete data or unauthorized use of data.
I cannot conclusively say whether this law or any other law would be broken, and to be honest I also do not want to say that, because I do not want to encourage anybody to damage anybody else's assets in such a way. But my impression is that the chain of arguments needed to classify such a case as computer-fraud would be pretty lame.
On the other hand, the victim can without doubt hold Google liable for the damage by simply not paying for the illegitimate API calls. But how find that out, when you cannot even see the IPs from which the calls have been made? And even if you knew the IPs, how would you distinguish abuse of your API key from users hitting F5 just for fun or out of spite?
Weeks ago, I have asked Google for a comment from inside the Google Cloud Platform Console. I am still waiting for any reaction from their side.
But just to reassure the anxious: We are talking about services that are charged with micro-cent-prices per request and it is more than likely that Google has countermeasures against an exploit at large scale. But it leaves a bad taste in the mouth nevertheless that Google uses an utterly non-transparent billing model that is vulnerable to boot.
Attackers that run small sites compared to the site that the key was
from have little to fear.
blog comments powered by Disqus