Bug in the Map: How a Malicious Script Bypasses Google's API
Google Maps is an essential tool for navigation, location-based services, and more. With powerful features like nearest object detection (for restaurants, hospitals, offices, etc.), its functionality is indispensable for web developers. These features are typically integrated into websites using the Google Maps JavaScript API. However, a significant policy change on June 11, 2018, shifted this from a free service to a paid one, requiring an API key for access. This new policy creates a financial barrier for many developers and projects.
In response to this, a new web application named ’Project Notun-Thikana’ (Online Accommodation Finder) has been developed. This project demonstrates a novel way to bypass the authentication of the Google Maps JavaScript API key, effectively making the map visible and functional without incurring any cost. The key to this exploit lies in a meticulously crafted malicious JavaScript code that turns off the API key’s authentication process.
While some websites have previously shown similar concepts, our model introduces unique features that make it stand out. The proposed model not only displays the map but also calculates the distance to the nearest objects (like restaurants or hospitals) from a user’s current location using the Haversine formula. This formula precisely measures the great-circle distance between two points on a sphere, in this case, the Earth's surface, using their longitudes and latitudes. The geographical location of the nearest object is then accurately plotted on the Google Map.
This approach highlights a significant vulnerability—it essentially acts as a Google Maps phishing site. By leveraging a bug in Google's system, the application mimics core features of Google Maps without authorization. The primary objective of this model is to serve as a proof-of-concept: to show how an equivalent feature to Google Maps can be implemented using a bug in their system and, most importantly, to expose the harmful implications and security risks associated with such exploits.
Keywords: Google Map, Google-Maps-JS-API, Malicious JavaScript Code, Phishing Site, Haversine Formula.
The findings and proof-of-concept model described here were formally recognized and accepted for presentation at the 1st International Multidisciplinary Online Conference (IMOC), organized by Tarlac State University. This acknowledgment underscores the academic and practical significance of addressing vulnerabilities in widely used platforms like Google Maps.
Publish Link
Disclaimer: This article is for informational and educational purposes only. It is not an endorsement of hacking or illegal activities. The information is provided to highlight a security vulnerability and the harmful aspects of such exploits.