Publicly accessible Google API key for Google Cloud Platform project

[SoloInter]

Suspicious Activity Alert Publicly accessible Google API key for Google Cloud Platform project ****** (id: ******)

Dear Customer,   We have detected a publicly accessible Google API key associated with the following Google Cloud Platform project: Project ****** (id: ******) with API key ************** The key was found at the following URL: https://www.internazionale.fr/articles/inter-milan/people-lauti-et-sa-femme-vont-bien-r17513/ We believe that you or your organization may have inadvertently published the affected API key in public sources or on public websites (for example, credentials mistakenly uploaded to a service such as GitHub.) Please note that as the project/account owner, you are responsible for securing your keys. Therefore, we recommend that you take the following steps to remedy this situation: If this key is intended to be public (or if a publicly accessible key isn’t preventable): Log in to the Google Cloud Console and review the API and billing activity on your account, ensuring the usage is in line with what you expected. Add API key restrictions to your API key, if applicable. If this key was NOT meant to be public: Regenerate the compromised API key: Search for Credentials in the cloud console platform, Edit the leaked key, and use the Regenerate Key button to rotate the key. For more details, review the instructions on handling compromised GCP credentials. Take immediate steps to ensure that your API key(s) are not embedded in public source code systems, stored in download directories, or unintentionally shared in other ways. Add API key restrictions to your API key, if applicable. The security of your Google Cloud Platform account(s) is important to us. GO TO MY CONSOLE

Sincerely, Google Cloud Platform Trust & Safety         I juste received this email from Google.

[Marc]

Please take a look at item 1 they mention there. The key is intended to be public, as its passed via javascript. You can of course ensure its limited for use only from your domain, on your google console

 

[SoloInter]

Yep, it's already done : 

 

So i don't understand why I received this email ..

[Marc]

They appear to be sending them to everyone unfortunately.

[SoloInter]

How is it possible ?
I follow every putain de steps :

 

 

Comment limiter ma clé API à des sites spécifiques ?

Utilisez un site Web pour limiter les URL pouvant se servir d'une clé API. En savoir plus 

Voici quelques exemples d'URL que vous pouvez autoriser pour configurer un site Web :

• Toutes les URL contenues dans un seul domaine sans sous-domaines : https://example.com
• Toutes les URL contenues dans un seul sous-domaine : https://sub.example.com
• Tous les sous-domaines contenus dans un seul domaine et utilisant le caractère générique astérisque (*) : https://*.example.com
• Un domaine et tous ses sous-domaines utilisant le caractère générique astérisque (*) :
  • https://example.com
  • https://*.example.com
• Une URL contenant un port non standard : http://www.example.com:8000

Remarque : Les fragments et les paramètres de requête ne sont actuellement pas acceptés. Ils seront ignorés si vous les incluez dans un site Web.

 

It's limited to these 3 domains.

I added has Google ask. It's not send to everyone.

[Randy Calvert]

The public key is intended to be that… public. It HAS to be in the request for your end user to view something that generates a map request. The private key is not shared. 

Google appears to be mass sending it to people.  The key is only shared in the way Google instructs it to be done.  Make sure you have proper restrictions so your key can be used from your domain and you’ll be fine. 

Edited March 9, 2023 by Randy Calvert