Google Maps API (Not the Key) Bugs That I Found Over the Years

Approval from Google Trust & Safety security team for all of the vulnerabilities I have been reported
Valid API request within valid Referer header
Request is blocked because Referer header is not allowed
Blocking request due to not having Referer header
Deleting Referer header bypasses security control for Staticmap API
<meta name="referrer" content="no-referrer"/>
<img src="http://maps.googleapis.com/maps/api/staticmap?center=45%2C10&zoom=7&size=400x400&key=YOUR_API_KEY”>
Google using Google Maps API services
Google’s own API key
Successful response within only API key
Scan result for leaked Google Maps API key with gmapsapiscaner
Any subdomain or path URLs in a single domain, using wildcard asterisks (*): *.example.com/*
Bypassing the control with https://test.com#.ozguralp.com referer
Invalid API key error from JavaScript API
Valid authentication body from JavaScript API
Bypassing authentication mechanism handled on client-side for JavaScript API

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store