4

From what I understand (given this previous question and the Google Maps API docs), it seems that an attacker could run up another site's quota.

For example, let's say I run a web app, "Find Taxi", and a competitor runs "Find Ride". In my web app's JavaScript code, I include my Google Maps v3 API key. The developer for "Find Ride" runs a PhantomJS process that spoofs the referrer header (as http://findtaxi.com/) and loads 25,000 maps per day on his server (running out my quota limit). Note that even given the client IP rate limit, 1 request/second/user, the quota can be reached from a single client within one day (86,400 seconds in a day).

I created a simple PhantomJS script to simulate this (and an API key restricting the referrer to example.com/*), so this attack appears to be feasible. Is Google relying on non-technical reasons to prevent this? For example, I can see legal issues (the threat to the business if this attack was leaked) and economic issues (the cost of running the attack server).

I guess I'm asking this question in case I missed a technical reason why this attack isn't possible.

Community
  • 1
  • 1
user826397
  • 43
  • 3
  • 2
    did you just answer your own question? this question is yes no and could've been asked in any online forum, this is not a programming problem. . . – pythonian29033 Feb 11 '14 at 07:46
  • @pythonian29033 while not strictly a coding problem, I feel this falls into the world of devops. Is there a stackexchange site for devops? – Steve Jansen Feb 11 '14 at 15:03
  • yes there is; programmers.stackexchange, your good english doesn't help to make your argument valid – pythonian29033 Feb 11 '14 at 15:11
  • The programmers.stackexchange.com has 0 questions tagged [google-maps](http://programmers.stackexchange.com/tags/google-maps), 0 questions tagged [google-maps-api-v3](http://programmers.stackexchange.com/tags/google-maps-api-v3) and just 57 questions for the search phrase [google maps api](http://programmers.stackexchange.com/search?q=google+maps+api). The [linked SO question](http://stackoverflow.com/questions/2256305/how-does-google-maps-secure-their-api-key-how-to-make-something-similar) has 33 upvotes and 23 stars. Seems reasonably relevant to me. – Steve Jansen Feb 11 '14 at 15:40

3 Answers3

2

Google Geo support for Business confirmed for me in December 2013 that their docs are out of date on this issue. The Google Maps API domain restrictions use the browser's window.location object and not the HTTP_REFERER request header. This makes sense given how HTTP_REFERER may be missing for a variety of reasons, from a new browser window to proxy server rewriting the header value.

This makes it much harder to spoof an authorized domain, however, it is still theoretically possible. A very determined attacker could modify the JS native code for window.location in any open source browser engine (e.g., Chromium, PhantomJS, Rhino, etc).

This seems possible but improbable, unless you have some nasty competitors. Moreover, I bet Google support would investigate suspected API abuse by a third party if you could demonstrate your Maps API usage is significantly higher than your analytics usage is showing the page loading the maps API.

Steve Jansen
  • 9,398
  • 2
  • 29
  • 34
  • Note that even without modifying the native code you can set window.location by configuring /etc/hosts and visiting the site. – user826397 Feb 11 '14 at 15:38
  • @user826397 - great point - the attacker could modify the network layer. That is definitely easier. – Steve Jansen Feb 11 '14 at 15:39
0

Yes this is possible, however Google made domain restrictions for your API key.

This means you can give acces only to the for example www.example.com domain.

By default, a key can be used on any site. We strongly recommend that you restrict the use of your key to domains that you administer, to prevent use on unauthorized sites. You can specify which domains are allowed to use your API key by clicking the Edit allowed referrers... link for your key.

Source: Source

Rob
  • 4,927
  • 12
  • 49
  • 54
  • However, the referrer header is spoofable. In fact, if on your attack server you set example.com to be an alias for localhost and visit example.com in Phantom.JS (for example, page.open("http://example.com")), PhantomJS will set the referrer header to http://example.com. – user826397 Feb 11 '14 at 15:16
0

Recently I found that manually repeating request to quotaService.recordEvent web service will eventually use the quota even you enable http referrers or not...

Why my Gogole Maps usage was increased significantly when manually repeat QuotaService.RecordEvent

Not sure if there is any solution to prevent this?

gie3d
  • 766
  • 4
  • 8