A bug bounty write-up detailing how a Google Maps API key was discovered exposed in a publicly accessible production config file (/envs/env.json) found via Android APK static analysis. The key had zero restrictions — no HTTP referrer limits, no IP restrictions, no API-level controls — and granted access to 10 live Google Maps Platform APIs. Financial impact was calculated at up to $331,000/month in potential billing abuse. The post covers the discovery methodology, validation steps using curl, impact analysis, root cause (two chained misconfigurations), remediation steps, and takeaways for security researchers including how to enumerate config file paths and chain findings for higher severity ratings.
Table of contents
IntroductionHow It Started Android APK ReconThe Vulnerability Zero Authentication RequiredValidation Testing the API KeyFinancial Impact $331,000/MonthWhat an Attacker Could DoGet Hacker MD’s stories in your inboxRoot Cause Two Misconfigurations, One Critical FindingRemediationTimelineTakeaways for Security ResearchersConclusionSort: