Security Market Segment LS
Tuesday, 24 July 2018 11:25

CyberArk details hole in Google APIs on eve of search giant's security blitz


On the eve of Google's campaign to flaunt its security credentials by marking sites which do not have https, the Israeli security firm CyberArk has revealed details of a flaw in the search giant's own APIs, which could have caused it to lose considerable income.

In a detailed blog post, CyberArk researcher Arik Kublanov said the vulnerability was in Google's APIs and had been called Shadow Keys.

When a user of Google's services sets up a project, an API key is automatically created for that project by Google. Shadow Keys are essentially illegitimate copies of these keys - since the owner of the project is unaware of the creation of the original API key, he/she would also be unaware of the Shadow Keys.

"This was a significant vulnerability because if an attacker were to obtain a Google API key through nefarious actions, they could then create a shadow key to access applications as if it was the original user key," Kublanov wrote. "The attacker could also bypass the detection/billing system of some Google API services."

Kublanov said the API key allowed one to monitor an application's usage using the Google API console. The API key provides access to a generous quota for an average plan and one can pay if one goes above the specified quota.

Google customers who have premium plans have to use an API key to access all features and benefits of that plan.

Kublanov said that by using a service that enumerated valid and invalid API keys, the CyberArk researchers were able to forge a shadow key when the original key was malformed.

"We used a vector that we called 'Malform', which allowed us to rotate one valid key from left to right from index=6 until the end of the key index=39, and each time we could change one character to be from the following characters: abcdefghijklmnopqrstuvwyxzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_," he said.

By doing this, the researchers obtained three more keys - the Shadow Keys. " Only the character in the index of 39 was changed, and all three were valid keys that could be used to access the user’s application data."

He said using these Shadow Keys, they were able to access the project in question, bypass detection and avoid payment, simply because the owner's dashboard did not recognise the shadow API key as belonging to the owner's application.

"Using only a single valid Google API key, it was possible to create shadow keys that went undetected and could avoid payments to Google," Kublanoc said.

"With only a valid key, an attacker could create shadow keys and sell them to other malicious actors, giving them the ability to access the same applications and data as the original valid key, but go undetected by Google."

He said Google had been notified of the flaw in January, soon after CyberArk discovered it. It had been fixed on 24 May.


You cannot afford to miss this Dell Webinar.

With Windows 7 support ending 14th January 2020, its time to start looking at your options.

This can have significant impacts on your organisation but also presents organisations with an opportunity to fundamentally rethink the way users work.

The Details

When: Thursday, September 26, 2019
Presenter: Dell Technologies
Location: Your Computer


QLD, VIC, NSW, ACT & TAS: 11:00 am
SA, NT: 10:30 am
WA: 9:00 am NZ: 1:00 pm

Register and find out all the details you need to know below.



iTWire can help you promote your company, services, and products.


Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments