Google Api key Leaked at APK (Sayurbox AndroidApp)

Hi My Friends,

Today I’ll show you my finding on sayurbox.com

let’s check it out

I found this bug on mobile app with Mobsf tools, I scan the App on this tool

let’s see the result

you can see google_api_key on hardcoded secrets

I use the value and paste on this url

https://maps.googleapis.com/maps/api/geocode/json?latlng=40,30&key={{here for google_api_key}}

The attacker managed to get the Google Api Key which has an impact on continuous consumption and can cause an increase in the billing/cost that must be paid.

If we visit this URL for one time, then it counts as 1 request. if the attacker inserts the link to another web with the intention of spreading the api key, then the request obtained must be more than once and must be very much.

In accordance with regulations from Google which states that a fee is charged for Geocode, which is $ 5 per 1000 requests.
So if an Attacker can insert an api key into someone else’s server with the intention of using it for up to thousands, up to millions of requests, then of course the costs to be paid will be very high.

TIMELINE :

Report : 9/12/2022

Fixed : 20/12/2022

Reward : HoF