A responsible disclosure documenting an organization-wide ArcGIS API key exposed across 53 public-facing assets, granting access to the mapping infrastructure underlying approximately 12,000 law enforcement, community, and private sector deployments.

Hacker News is a community-driven platform for sharing and discussing technology news, startups, and programming-related topics. Through user submissions and comments, Hacker News offers insights into emerging technology trends, industry developments, and entrepreneurial ventures. Readers can participate in discussions, share their insights, and stay informed about the latest advancements in technology and innovation.

Hacker News

A security researcher discovered Flock Safety's default ArcGIS API key hardcoded across 53 public-facing JavaScript bundles, granting unrestricted access to mapping infrastructure containing surveillance data from approximately 12,000 law enforcement and private deployments. The exposed credential had no referrer restrictions or scope limitations and provided access to 50 private data layers including license plate detections, patrol car locations, drone telemetry, 911 call data, and camera locations. The vulnerability was responsibly disclosed and remediated, but a separate critical vulnerability involving unauthenticated token minting remains unpatched 55+ days after disclosure, revealing systemic credential mismanagement patterns.

53 Times Flock Safety Hardcoded the Password for America's Surveillance Infrastructure

Scope Limitations and Evidentiary Standard

Why This Matters: National Security Implications