More Accurate Google Maps API Key Testing

[m-q-t]

Hi team,

I've noticed the current method for testing Google Maps API keys is inaccurate as it doesn't show if the key is inactive or if the key is restricted by the Referer header.

We can issue the following command to confirm if the keys are indeed active and not restricted by the Referer header:

curl -H "referer: http://example.com" "https://maps.googleapis.com/maps/api/directions/json?origin=Stockholm&destination=Kalmar&key=KEY_HERE"

Different types of responses:

Vulnerable: Key is valid & active with no restrictions:

<long snippet>
         "warnings" : [],
         "waypoint_order" : []
      }
   ],
   "status" : "OK"
}

Not Vulnerable: Key is valid & active but restricted by Referer:

{
   "error_message" : "API keys with referer restrictions cannot be used with this API.",
   "routes" : [],
   "status" : "REQUEST_DENIED"
}

Not Vulnerable: Key is valid, but not active:

{
   "error_message" : "This API project is not authorized to use this API.",
   "routes" : [],
   "status" : "REQUEST_DENIED"
}

Not Vulnerable: Key is invalid:

{
   "error_message" : "The provided API key is invalid.",
   "routes" : [],
   "status" : "REQUEST_DENIED"
}

More information about different ways the keys can be restricted:
https://developers.google.com/maps/api-key-best-practices

Thank you,
- mqt

[codingo]

Thank-you!