Jump to content

Google Maps API Key

iacas

By iacas
in Technical Problems

 Share

Recommended Posts

iacas Rising Star

iacas

Posted
Posted

So… Google emailed to say "we've found a publicly accessible API key for Google Maps. You should stop doing that."

I looked at the page they linked to, and yep, there it is. There is no map on that page.

I've since disabled Google Maps from the "Integrations" page in ACP, but… is this something that can be fixed in IPS? I see no way for me to do anything about it, and obviously I would rather people NOT get my public key (even though my private one is still a secret), which is why they sent the email to begin with.

iacas Rising Star

iacas

Posted
  • Author
Posted (edited)
6 minutes ago, Stuart Silvester said:

Make sure that you're following the instructions on AdminCP > Integrations > Google Maps.

You should have two different API keys, one that is public with restricted access and one that is private.

I can't speak for others, but I am following those directions.

I verified this just now. My Public Key is in the Public Key location and my Private Key is in the Private Key location.

The email says:

Could contain: Text, City

Could contain: Page, Text, Advertisement, Poster

My public key is what's being shown.

Edited by iacas
iacas Rising Star

iacas

Posted
  • Author
Posted (edited)
4 minutes ago, Stuart Silvester said:

It might be worth double checking that your public key has the http referrer protection enabled on it.

This is the appropriate way to protect an API key that must be public (it needs to be passed to the Google Maps Javascript)  - https://developers.google.com/maps/api-security-best-practices#restricting-api-keys

I'm also doing that (and didn't change this setting in the past few years):

Could contain: Page, Text, File, Webpage

Maybe they routinely send this email, I don't know. I do know I've never gotten it before, and I've not made a change to my settings here in quite awhile.

Edited by iacas
Dll Experienced

Dll

Posted
Posted

Maybe I'm missing something here, but a public key is intended to be exposed. It's the private key which shouldn't be. 

What you should be doing though, is setting restrictions on the key inside your Google account to stop unauthorised use.

iacas Rising Star

iacas

Posted
  • Author
Posted
5 hours ago, Dll said:

Maybe I'm missing something here, but a public key is intended to be exposed. It's the private key which shouldn't be. 

What you should be doing though, is setting restrictions on the key inside your Google account to stop unauthorised use.

I understand that. What I don't entirely understand is the email from Google. 🙂 Especially since I have an API key restricting it to being accessed from my domain name only.

I haven't updated these settings in years. Weird to get an email about it now.

Randy Calvert Grand Master

Randy Calvert

Posted
Posted

Google isn’t always right. It’s saying something MIGHT be wrong and look into it more. 

Log into their console and look at the activity. Do you see other sites using your code?  If not, it’s most likely a false positive issue. 

And while you’re there, it’s a good opportunity to review your security settings to ensure you have policies in place to accept API requests only from your site, etc. 

Stuart Silvester Grand Master

Stuart Silvester

Posted
Posted
23 hours ago, Square Wheels said:

Hi,

Any updates on this?  @Stuart Silvester or @Marc Stridgen?

Was this inadvertently introduced with 4.7.7?

Thank you

As others mention, either Google has sent these warnings by mistake, or they're just asking you to check your configuration. There must be a public API key that is passed to the JavaScript that displays the map. Providing that you're following our instructions of having two keys, and restrictions on the public key you will be following Googles best practices that were linked above.

Martin A. Mentor

Martin A.

Posted
Posted
On 3/3/2023 at 5:42 PM, Stuart Silvester said:

As others mention, either Google has sent these warnings by mistake, or they're just asking you to check your configuration. There must be a public API key that is passed to the JavaScript that displays the map. Providing that you're following our instructions of having two keys, and restrictions on the public key you will be following Googles best practices that were linked above.

You could fetch the key with AJAX when needed. That would at least hide the key from plain sight, and prevent it from being scraped. 

I've received this email from Google about API keys from multiple projects I'm involved in. I think they are sending this to everyone with a key visible in the source code regardless of restrictions applied to it.

Square Wheels Experienced

Square Wheels

Posted
Posted
2 hours ago, Marc Stridgen said:

Do you have the full email we can take a look at, so we understand what exactly they are saying?

Notification Suspicious Activity Alert
Publicly accessible Google API key for Google Cloud Platform project PLT Login (id: plt-login)
Dear Customer,

 

We have detected a publicly accessible Google API key associated with the following Google Cloud Platform project:

Project PLT Login (id: plt-login) with API key AIzaSyCgZQExEPcYFIUzqph8Ah_9LGNVv4mD1o0

The key was found at the following URL: https://www.pathlabtalk.com/forum/index.php?/topic/4398-cloudy-ffp/

We believe that you or your organization may have inadvertently published the affected API key in public sources or on public websites (for example, credentials mistakenly uploaded to a service such as GitHub.)

Please note that as the project/account owner, you are responsible for securing your keys. Therefore, we recommend that you take the following steps to remedy this situation:

  1. If this key is intended to be public (or if a publicly accessible key isn’t preventable):
    • Log in to the Google Cloud Console and review the API and billing activity on your account, ensuring the usage is in line with what you expected.
    • Add API key restrictions to your API key, if applicable.
  2. If this key was NOT meant to be public:
    • Regenerate the compromised API key: Search for Credentials in the cloud console platform, Edit the leaked key, and use the Regenerate Key button to rotate the key. For more details, review the instructions on handling compromised GCP credentials.
    • Take immediate steps to ensure that your API key(s) are not embedded in public source code systems, stored in download directories, or unintentionally shared in other ways.
    • Add API key restrictions to your API key, if applicable.

The security of your Google Cloud Platform account(s) is important to us.

GO TO MY CONSOLE
Sincerely,
Google Cloud Platform Trust & Safety
Marc Grand Master

Marc

Posted
Posted

Thank you. I have actually just seen this in another topic. The key there is number 1 in their list of steps. Its intended here, which is why its visible. You should indeed add API key restrictions for your domain, however other than that, there is no actual issue there. Unfortunately, it seems google are sending these out without having checked if any restrictions are in place already.

Square Wheels Experienced

Square Wheels

Posted
Posted
5 minutes ago, Marc Stridgen said:

Thank you. I have actually just seen this in another topic. The key there is number 1 in their list of steps. Its intended here, which is why its visible. You should indeed add API key restrictions for your domain, however other than that, there is no actual issue there. Unfortunately, it seems google are sending these out without having checked if any restrictions are in place already.

Thanks, I already had it set to Website and my site.

I'll continue to ignore these emails should I get more.

Arcade King Explorer

Arcade King

Posted
Posted
On 3/1/2023 at 7:45 AM, iacas said:

So… Google emailed to say "we've found a publicly accessible API key for Google Maps. You should stop doing that."

I looked at the page they linked to, and yep, there it is. There is no map on that page.

I've since disabled Google Maps from the "Integrations" page in ACP, but… is this something that can be fixed in IPS? I see no way for me to do anything about it, and obviously I would rather people NOT get my public key (even though my private one is still a secret), which is why they sent the email to begin with.

Got the same Email yesterday and ever since getting this error in the admin console under Secret API Key

This IP, site or mobile application is not authorized to use this API key. Request received from IP address 2402:1180:0:2::53, with empty referer

 

Marc Grand Master

Marc

Posted
Posted

The error message you are getting there, and the email from google, are not related in any way. You need to check the restrictions you have in place for your key, as currently it seems you are blocking your own site from accessing

HighlanderICT Enthusiast

HighlanderICT

Posted
Posted

Also got exact same email from Google today. I am assuming I set this up correctly and the key they reference in the email is definitely the value of the public key not the private one.  Just don't want to get a nasty surprise one day where my normal $0.00 Google Maps "invoice" actually shows an amount. 

 

Could contain: Page, Text, Document, Invoice, File

 

 

 

 

 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Invision Community © 2024 IPS, Inc.
×
×
  • Create New...