H3-2026-0037¶

Exposed Google Maps API Key

Description¶

A Google Maps JavaScript API key was found embedded in a client-side response. (This key is a value starting with AIza, used to load the Google Maps SDK, embed a map iframe, or invoke google.maps.* APIs.) The finding is reported so that operators can verify the key is properly restricted in Google Cloud Console (using HTTP referrer/IP allow-lists and per-API allow-lists).

Impact¶

If the key is not constrained by HTTP-referrer, IP, or per-API restrictions, an attacker can copy it and use it from arbitrary origins to consume the owner's Maps Platform quota, to incur billing charges, or to invoke any other Google APIs for which the key has been enabled. There is no direct compromise of the application or its users – the risk is billing abuse and quota exhaustion.

References¶

• CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
• Google Maps Platform: API security best practices
• Truffle Security: Google API Keys Weren't Secrets. But then Gemini Changed the Rules.