Reputation: 43
Can an attacker use up another site's Google Maps quota?
From what I understand (given this previous question and the Google Maps API docs), it seems that an attacker could run up another site's quota.
For example, let's say I run a web app, "Find Taxi", and a competitor runs "Find Ride". In my web app's JavaScript code, I include my Google Maps v3 API key. The developer for "Find Ride" runs a PhantomJS process that spoofs the referrer header (as http://findtaxi.com/) and loads 25,000 maps per day on his server (running out my quota limit). Note that even given the client IP rate limit, 1 request/second/user, the quota can be reached from a single client within one day (86,400 seconds in a day).
I created a simple PhantomJS script to simulate this (and an API key restricting the referrer to example.com/*), so this attack appears to be feasible. Is Google relying on non-technical reasons to prevent this? For example, I can see legal issues (the threat to the business if this attack was leaked) and economic issues (the cost of running the attack server).
I guess I'm asking this question in case I missed a technical reason why this attack isn't possible.
Upvotes: 4
Views: 590
Answers (3)
Reputation: 809
Recently I found that manually repeating request to quotaService.recordEvent web service will eventually use the quota even you enable http referrers or not...
Why my Gogole Maps usage was increased significantly when manually repeat QuotaService.RecordEvent
Not sure if there is any solution to prevent this?
Upvotes: 0
Reputation: 9494
Google Geo support for Business confirmed for me in December 2013 that their docs are out of date on this issue. The Google Maps API domain restrictions use the browser's window.location object and not the HTTP_REFERER request header. This makes sense given how HTTP_REFERER may be missing for a variety of reasons, from a new browser window to proxy server rewriting the header value.
This makes it much harder to spoof an authorized domain, however, it is still theoretically possible. A very determined attacker could modify the JS native code for window.location in any open source browser engine (e.g., Chromium, PhantomJS, Rhino, etc).
This seems possible but improbable, unless you have some nasty competitors. Moreover, I bet Google support would investigate suspected API abuse by a third party if you could demonstrate your Maps API usage is significantly higher than your analytics usage is showing the page loading the maps API.
Upvotes: 2
Reputation: 4947
Yes this is possible, however Google made domain restrictions for your API key.
This means you can give acces only to the for example www.example.com domain.
By default, a key can be used on any site. We strongly recommend that you restrict the use of your key to domains that you administer, to prevent use on unauthorized sites. You can specify which domains are allowed to use your API key by clicking the Edit allowed referrers... link for your key.
Source: Source
Upvotes: 0
Related Questions
- Usage limits for services when used with Google Maps Javascript API v3
- Detect Google Maps API quota limit
- Google Maps JavaScript API v3 25,000 Usage Limits
- Exceeding the API quota -- consequences?
- Google maps API v3 quota limits per domain?
- How the quota and it's consumption works?
- Usage of Google Maps API Key v3
- usage limits of google maps api
- Google Maps API limitations
- Google Maps API imposing new quota - will my requests count against the limit?