This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Received email about publicly accessible API key but it's restricted by website

Posted on 03-05-2023 03:53 AM
larrybread
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hello - I received an email about an API key being publicly accessible in my source on webpage of a site I look after. I've restricted use of this API key in the Settings & APIs > Credentials section of my console, under 'Website restrictions'; to the domain in question, with the format https:/www.mydomain.com/*

Is this still a concern? The API restriction is for Maps, Places, Geocoding.

My understanding was that with these Website and API restrictions in place, having the API key in the public source was not an issue but am I mistaken?

Thanks

1 7 1,815
Topic Labels
7 REPLIES 7

Posted on --/--/---- --:-- AM
RMaynes
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Curious about this too since receiving a similar email.

0 Likes

Posted on --/--/---- --:-- AM
Marvin_Lucero
Staff
Reply posted on --/--/---- --:-- AM

Hi @larrybread ,

Can you share a screenshot of the email?

Posted on --/--/---- --:-- AM
larrybread
Bronze 1
Bronze 1
In response to Marvin_Lucero
Reply posted on --/--/---- --:-- AM

Email received from noreply+google-cloud-compliance@google.com

https://www.dropbox.com/s/tdachec2kusmgyn/email.png?dl=0

This is an old post but seems relevant: https://stackoverflow.com/questions/39625587/how-do-i-securely-use-google-api-keys

Posted on --/--/---- --:-- AM
LarryNic
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

Hi @larrybread ,

If you have already added restrictions to your API keys, then this should be resolved. I recommend reviewing the documentation on the Remediaton for Exposed GCP API Keys and Authenticating Best Practices for API keys.

 Aside from this, I love Maps, Places, and Geocoding. If you ever need someone to colloborate with just let me know! 

Posted on --/--/---- --:-- AM
larrybread
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

To follow up, I've left all my sites with website/domain restrictions as before. Not IP restrictions as apparently this will stop these apis working.

I also receive another, identical email today about one of these sites (not the one in my original post), so I guess this is something that is ongoing.

I've run up against another issue in that I'm using a Google Reviews plugin (WordPress) on one of these sites that has recently stopped importing new reviews. Apparently the Places API will not import these with restrictions in place. As this only seems to have become an issue recently I wonder if API changes are taking place in the last month or two that are at the root of all this.

https://maps.googleapis.com/maps/api/place/details/json?placeid=XXXX&key=XXXX

yields:

{
   "error_message" : "API keys with referer restrictions cannot be used with this API.",
   "html_attributions" : [],
   "status" : "REQUEST_DENIED"
}






0 Likes

Posted on --/--/---- --:-- AM
Mcn
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hello

I am not a developper but i have made my own wordpress for my business.

I have received the same email 2 weeks ago and i have no idea what this is about... ๐Ÿ˜ฏ

How bad is the situation please? Do i need to do something?

Thank you 

Capture dโ€™รฉcran 2023-03-21 113819.png

 

 

 

0 Likes

Posted on --/--/---- --:-- AM
Anitha
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

We are also getting same error when we access the geocode Api. Any solution for this issue

Anitha_0-1695024923445.png

 

0 Likes
Top Labels in this Space