iacas Posted February 28, 2023 Posted February 28, 2023 So… Google emailed to say "we've found a publicly accessible API key for Google Maps. You should stop doing that." I looked at the page they linked to, and yep, there it is. There is no map on that page. I've since disabled Google Maps from the "Integrations" page in ACP, but… is this something that can be fixed in IPS? I see no way for me to do anything about it, and obviously I would rather people NOT get my public key (even though my private one is still a secret), which is why they sent the email to begin with.
Marc Posted March 1, 2023 Posted March 1, 2023 I would need to know the example page so we can take a look at this for you
Square Wheels Posted March 1, 2023 Posted March 1, 2023 3 hours ago, Marc Stridgen said: I would need to know the example page so we can take a look at this for you I got the same email. Here's the example on my site they gave. https://www.pathlabtalk.com/forum/index.php?/topic/4398-cloudy-ffp/ iacas 1
iacas Posted March 1, 2023 Author Posted March 1, 2023 @Marc Stridgen it's literally (almost) every page. https://www.pathlabtalk.com/forum/index.php?/topic/9170-cooler-for-the-or/ https://www.pathlabtalk.com/forum/index.php?/topic/11608-wrong-abo-typing-by-gel/ https://www.pathlabtalk.com/forum/index.php?/topic/11600-clia-cap-proficiency-testing/ Those were just the first three in @Square Wheels's particular sub-forum. Square Wheels 1
Nathan Explosion Posted March 1, 2023 Posted March 1, 2023 Pumped out via this in global -> global -> includeJS.phtml
Stuart Silvester Posted March 1, 2023 Posted March 1, 2023 Make sure that you're following the instructions on AdminCP > Integrations > Google Maps. You should have two different API keys, one that is public with restricted access and one that is private.
iacas Posted March 1, 2023 Author Posted March 1, 2023 (edited) 6 minutes ago, Stuart Silvester said: Make sure that you're following the instructions on AdminCP > Integrations > Google Maps. You should have two different API keys, one that is public with restricted access and one that is private. I can't speak for others, but I am following those directions. I verified this just now. My Public Key is in the Public Key location and my Private Key is in the Private Key location. The email says: My public key is what's being shown. Edited March 1, 2023 by iacas
Stuart Silvester Posted March 1, 2023 Posted March 1, 2023 It might be worth double checking that your public key has the http referrer protection enabled on it. This is the appropriate way to protect an API key that must be public (it needs to be passed to the Google Maps Javascript) - https://developers.google.com/maps/api-security-best-practices#restricting-api-keys
iacas Posted March 1, 2023 Author Posted March 1, 2023 (edited) 4 minutes ago, Stuart Silvester said: It might be worth double checking that your public key has the http referrer protection enabled on it. This is the appropriate way to protect an API key that must be public (it needs to be passed to the Google Maps Javascript) - https://developers.google.com/maps/api-security-best-practices#restricting-api-keys I'm also doing that (and didn't change this setting in the past few years): Maybe they routinely send this email, I don't know. I do know I've never gotten it before, and I've not made a change to my settings here in quite awhile. Edited March 1, 2023 by iacas
iacas Posted March 1, 2023 Author Posted March 1, 2023 It's exposed in this topic (except you haven't put the key in), too.
Square Wheels Posted March 2, 2023 Posted March 2, 2023 Hi, Any updates on this? @Stuart Silvester or @Marc Stridgen? Was this inadvertently introduced with 4.7.7? Thank you
Dll Posted March 2, 2023 Posted March 2, 2023 Maybe I'm missing something here, but a public key is intended to be exposed. It's the private key which shouldn't be. What you should be doing though, is setting restrictions on the key inside your Google account to stop unauthorised use. Martin A. 1
iacas Posted March 2, 2023 Author Posted March 2, 2023 5 hours ago, Dll said: Maybe I'm missing something here, but a public key is intended to be exposed. It's the private key which shouldn't be. What you should be doing though, is setting restrictions on the key inside your Google account to stop unauthorised use. I understand that. What I don't entirely understand is the email from Google. 🙂 Especially since I have an API key restricting it to being accessed from my domain name only. I haven't updated these settings in years. Weird to get an email about it now.
Randy Calvert Posted March 2, 2023 Posted March 2, 2023 Google isn’t always right. It’s saying something MIGHT be wrong and look into it more. Log into their console and look at the activity. Do you see other sites using your code? If not, it’s most likely a false positive issue. And while you’re there, it’s a good opportunity to review your security settings to ensure you have policies in place to accept API requests only from your site, etc.
teraßyte Posted March 3, 2023 Posted March 3, 2023 I received the same email yesterday, but I think Google just messed up. Their check should warn about private keys being public. A public key being public is...obvious? 👀
Stuart Silvester Posted March 3, 2023 Posted March 3, 2023 23 hours ago, Square Wheels said: Hi, Any updates on this? @Stuart Silvester or @Marc Stridgen? Was this inadvertently introduced with 4.7.7? Thank you As others mention, either Google has sent these warnings by mistake, or they're just asking you to check your configuration. There must be a public API key that is passed to the JavaScript that displays the map. Providing that you're following our instructions of having two keys, and restrictions on the public key you will be following Googles best practices that were linked above. Square Wheels 1
Martin A. Posted March 6, 2023 Posted March 6, 2023 On 3/3/2023 at 5:42 PM, Stuart Silvester said: As others mention, either Google has sent these warnings by mistake, or they're just asking you to check your configuration. There must be a public API key that is passed to the JavaScript that displays the map. Providing that you're following our instructions of having two keys, and restrictions on the public key you will be following Googles best practices that were linked above. You could fetch the key with AJAX when needed. That would at least hide the key from plain sight, and prevent it from being scraped. I've received this email from Google about API keys from multiple projects I'm involved in. I think they are sending this to everyone with a key visible in the source code regardless of restrictions applied to it.
Marc Posted March 6, 2023 Posted March 6, 2023 Do you have the full email we can take a look at, so we understand what exactly they are saying?
Square Wheels Posted March 6, 2023 Posted March 6, 2023 2 hours ago, Marc Stridgen said: Do you have the full email we can take a look at, so we understand what exactly they are saying? Suspicious Activity Alert Publicly accessible Google API key for Google Cloud Platform project PLT Login (id: plt-login) Dear Customer, We have detected a publicly accessible Google API key associated with the following Google Cloud Platform project: Project PLT Login (id: plt-login) with API key AIzaSyCgZQExEPcYFIUzqph8Ah_9LGNVv4mD1o0 The key was found at the following URL: https://www.pathlabtalk.com/forum/index.php?/topic/4398-cloudy-ffp/ We believe that you or your organization may have inadvertently published the affected API key in public sources or on public websites (for example, credentials mistakenly uploaded to a service such as GitHub.) Please note that as the project/account owner, you are responsible for securing your keys. Therefore, we recommend that you take the following steps to remedy this situation: If this key is intended to be public (or if a publicly accessible key isn’t preventable): Log in to the Google Cloud Console and review the API and billing activity on your account, ensuring the usage is in line with what you expected. Add API key restrictions to your API key, if applicable. If this key was NOT meant to be public: Regenerate the compromised API key: Search for Credentials in the cloud console platform, Edit the leaked key, and use the Regenerate Key button to rotate the key. For more details, review the instructions on handling compromised GCP credentials. Take immediate steps to ensure that your API key(s) are not embedded in public source code systems, stored in download directories, or unintentionally shared in other ways. Add API key restrictions to your API key, if applicable. The security of your Google Cloud Platform account(s) is important to us. GO TO MY CONSOLE Sincerely, Google Cloud Platform Trust & Safety iacas 1
Marc Posted March 6, 2023 Posted March 6, 2023 Thank you. I have actually just seen this in another topic. The key there is number 1 in their list of steps. Its intended here, which is why its visible. You should indeed add API key restrictions for your domain, however other than that, there is no actual issue there. Unfortunately, it seems google are sending these out without having checked if any restrictions are in place already.
Square Wheels Posted March 6, 2023 Posted March 6, 2023 5 minutes ago, Marc Stridgen said: Thank you. I have actually just seen this in another topic. The key there is number 1 in their list of steps. Its intended here, which is why its visible. You should indeed add API key restrictions for your domain, however other than that, there is no actual issue there. Unfortunately, it seems google are sending these out without having checked if any restrictions are in place already. Thanks, I already had it set to Website and my site. I'll continue to ignore these emails should I get more. Marc 1
Arcade King Posted March 6, 2023 Posted March 6, 2023 On 3/1/2023 at 7:45 AM, iacas said: So… Google emailed to say "we've found a publicly accessible API key for Google Maps. You should stop doing that." I looked at the page they linked to, and yep, there it is. There is no map on that page. I've since disabled Google Maps from the "Integrations" page in ACP, but… is this something that can be fixed in IPS? I see no way for me to do anything about it, and obviously I would rather people NOT get my public key (even though my private one is still a secret), which is why they sent the email to begin with. Got the same Email yesterday and ever since getting this error in the admin console under Secret API Key This IP, site or mobile application is not authorized to use this API key. Request received from IP address 2402:1180:0:2::53, with empty referer
Marc Posted March 7, 2023 Posted March 7, 2023 The error message you are getting there, and the email from google, are not related in any way. You need to check the restrictions you have in place for your key, as currently it seems you are blocking your own site from accessing
HighlanderICT Posted March 7, 2023 Posted March 7, 2023 Also got exact same email from Google today. I am assuming I set this up correctly and the key they reference in the email is definitely the value of the public key not the private one. Just don't want to get a nasty surprise one day where my normal $0.00 Google Maps "invoice" actually shows an amount.
Recommended Posts