Sensitive Information Disclosure - Google API Key
Description
Sensitive Information Disclosure vulnerability related to Google API Key occurs when the API key is inadvertently exposed in client-side code or publicly accessible repositories. Attackers can misuse this key to access sensitive data or perform unauthorized actions on behalf of the owner. To mitigate, developers should avoid hardcoding API keys in client-side code, restrict API key usage to specific domains or APIs, and regularly audit code repositories for accidental exposure of keys.
Remediation
Do the following, at a minimum, and consult the references: * Classify data processed, stored or transmitted by an application. Identify which data is sensitive according to privacy laws, regulatory requirements, or business needs. * Apply controls as per the classification. * Don’t store sensitive data unnecessarily. Discard it as soon as possible or use PCI DSS-compliant tokenization or even truncation. Data that is not retained cannot be stolen. * Make sure to encrypt all sensitive data at rest. * Ensure up-to-date and strong standard algorithms, protocols, and keys are in place; use proper key management. * Encrypt all data in transit with secure protocols such as TLS with perfect forward secrecy (PFS) ciphers, cipher prioritization by the server, and secure parameters. Enforce encryption using directives like HTTP Strict Transport Security (HSTS). * Disable caching for responses that contain sensitive data. * Store passwords using strong adaptive and salted hashing functions with a work factor (delay factor), such as Argon2, scrypt, bcrypt or PBKDF2. * Verify independently the effectiveness of configuration and settings.
References
https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposurehttps://cwe.mitre.org/data/definitions/200.htmlSeverity
MEDIUMOwasp
Code: A02:2021
Category: Cryptographic Failures
Classification
5.3
5.3