Findings in Swiggy’s Codebase: Memory Leak and Google Maps API Key Exposure.
Greetings, Infosec aficionados! Today, we’re diving into the Swiggy’s tech oopsies, featuring not one but two delightful vulnerabilities.
1st Vulnerability:
Google Maps API Key Exposure Swiggy, like many other apps, relies on various APIs to provide seamless services. In this case, they used the Google Maps Staticmap API and Streetview API to enhance their location-based features.
Reproduction:
Curiosity often leads us to explore and test the boundaries. I was looking through source code I stumbled upon Swiggy’s API key in a JavaScript file URL. From there, it was easy to see that accessing the URLs directly revealed the vulnerable API key. Then i exploited using some tools and a code which was provided by google.
Tools used:
1. To find any api keys https://github.com/trufflesecurity/trufflehog
2. Exploit the key — https://github.com/streaak/keyhacks
3. Gmap api scanner — https://github.com/ozguralp/gmapsapiscanner
4. https://mapsplatform.google.com/maps-products/#maps-section
Voilà! The key was exposed, leaving the door wide open for potential misuse.
Conclusion:
Swiggy’s API key exposure may seem like a tiny flaw, but it highlights the importance of rigorous security practices.
2nd Vulnerability:
When the program allocates memory to perform tasks, it forgets to free up that memory after use. As a result, memory usage keeps piling up like an ever-growing tower of blocks, slowly eating away the available resources.
Consequences:
This memory trouble can cause slow performance, making the program slower than a sleepy sloth.With time, the continuous memory usage can push the program towards a crash.
Reproduction:
Same as above when i was checking through some .js files found another one which was all about debugging and some monitoring information, which was sensitive and shouldn't be exposed.
Tools used:
Using memory profiling tools like pprof or Valgrind.
https://github.com/google/pprof
https://valgrind.org/
Conclusion:
Swiggy’s “Memory Leak” is a sneaky foe that can quietly cause mayhem if left unchecked.
Reply from Swiggy:
Sadly, both of the vulnerabilities are duplicate. It’s disheartening to accept this fact, but it’s an opportunity for learning. So, I just wanted to give you a heads up on how I came across these duplicate vulnerabilities. It’s actually pretty cool because it adds to what we can learn from the whole experience.
NOTE: Any automated tool cannot replace human’s brain so try to exploit on own, try doing without any automated tools so it enhances our skills and knowledge.
📫 Reach me if you wish to:
LinkedIn: https://www.linkedin.com/in/varshini~ramesh/
Twitter: https://twitter.com/varshiniramesh5
GitHub: https://github.com/varsh1408
