53 Times Flock Safety Hardcoded the Password for America's Surveillance Infrastructure

A security researcher discovered Flock Safety's default ArcGIS API key hardcoded across 53 public-facing JavaScript bundles, granting unrestricted access to mapping infrastructure containing surveillance data from approximately 12,000 law enforcement and private deployments. The exposed credential had no referrer restrictions or scope limitations and provided access to 50 private data layers including license plate detections, patrol car locations, drone telemetry, 911 call data, and camera locations. The vulnerability was responsibly disclosed and remediated, but a separate critical vulnerability involving unauthenticated token minting remains unpatched 55+ days after disclosure, revealing systemic credential mismanagement patterns.