InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties…

Follow publication

Findings in Swiggy’s Codebase: Memory Leak and Google Maps API Key Exposure.

Greetings, Infosec aficionados! Today, we’re diving into the Swiggy’s tech oopsies, featuring not one but two delightful vulnerabilities.

1st Vulnerability:

Google Maps API Key Exposure Swiggy, like many other apps, relies on various APIs to provide seamless services. In this case, they used the Google Maps Staticmap API and Streetview API to enhance their location-based features.

Reproduction:

Curiosity often leads us to explore and test the boundaries. I was looking through source code I stumbled upon Swiggy’s API key in a JavaScript file URL. From there, it was easy to see that accessing the URLs directly revealed the vulnerable API key. Then i exploited using some tools and a code which was provided by google.

Tools used:

1. To find any api keys https://github.com/trufflesecurity/trufflehog

2. Exploit the keyhttps://github.com/streaak/keyhacks

3. Gmap api scanner — https://github.com/ozguralp/gmapsapiscanner

4. https://mapsplatform.google.com/maps-products/#maps-section

Voilà! The key was exposed, leaving the door wide open for potential misuse.

Conclusion:

Swiggy’s API key exposure may seem like a tiny flaw, but it highlights the importance of rigorous security practices.

Report to swiggy regarding google maps api key exposure

2nd Vulnerability:

When the program allocates memory to perform tasks, it forgets to free up that memory after use. As a result, memory usage keeps piling up like an ever-growing tower of blocks, slowly eating away the available resources.

Consequences:

This memory trouble can cause slow performance, making the program slower than a sleepy sloth.With time, the continuous memory usage can push the program towards a crash.

Reproduction:

Same as above when i was checking through some .js files found another one which was all about debugging and some monitoring information, which was sensitive and shouldn't be exposed.

Tools used:

Using memory profiling tools like pprof or Valgrind.

https://github.com/google/pprof
https://valgrind.org/

Conclusion:

Swiggy’s “Memory Leak” is a sneaky foe that can quietly cause mayhem if left unchecked.

Report to swiggy regarding memory leak

Reply from Swiggy:

Sadly, both of the vulnerabilities are duplicate. It’s disheartening to accept this fact, but it’s an opportunity for learning. So, I just wanted to give you a heads up on how I came across these duplicate vulnerabilities. It’s actually pretty cool because it adds to what we can learn from the whole experience.

NOTE: Any automated tool cannot replace human’s brain so try to exploit on own, try doing without any automated tools so it enhances our skills and knowledge.

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Published in InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Written by Varshini Ramesh

||Pentester||Technophile||Papyrophiliac||Astrophile||

Responses (1)

Write a response