{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/googlemaps/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Places API","gmaps-mcp"],"_cs_severities":["high"],"_cs_tags":["googlemaps","unauthenticated-access","api-abuse","injection"],"_cs_type":"advisory","_cs_vendors":["Google"],"content_html":"\u003cp\u003eThe \u003ccode\u003egmaps-mcp\u003c/code\u003e package (version 0.1.2 and earlier) is vulnerable to a critical flaw that allows unauthenticated attackers to make unlimited Google Maps API calls at the operator\u0026rsquo;s expense. This occurs because the HTTP transport in \u003ccode\u003eserver.py\u003c/code\u003e does not enforce authentication when the \u003ccode\u003eMCP_API_KEY\u003c/code\u003e environment variable is not set, which is the default configuration. As a result, any attacker who knows the server\u0026rsquo;s URL can invoke the API and generate billed requests. The default configuration, as detailed in the README, instructs operators to expose the server via ngrok, making it accessible over the internet. Additionally, the \u003ccode\u003eplace_id\u003c/code\u003e parameter in \u003ccode\u003eclient.py\u003c/code\u003e is vulnerable to path injection, enabling attackers to manipulate the Places API endpoint.  A Claude skill file is shipped with the package, creating a potential injection surface.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eOperator deploys \u003ccode\u003egmaps-mcp\u003c/code\u003e with the default configuration, including a blank \u003ccode\u003eMCP_API_KEY\u003c/code\u003e and exposes the server using ngrok per README instructions.\u003c/li\u003e\n\u003cli\u003eAttacker discovers the ngrok URL through public endpoint scans or targeted probes.\u003c/li\u003e\n\u003cli\u003eAttacker sends a POST request to the \u003ccode\u003e/mcp/\u003c/code\u003e endpoint without an \u003ccode\u003eX-API-Key\u003c/code\u003e header, invoking a Google Maps API tool.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eserver.py\u003c/code\u003e code at lines 186-192 bypasses authentication checks because \u003ccode\u003eMCP_API_KEY\u003c/code\u003e is unset.\u003c/li\u003e\n\u003cli\u003eThe request is forwarded to the Google Maps API, utilizing the operator\u0026rsquo;s \u003ccode\u003eGOOGLE_MAPS_API_KEY\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe Google Maps API processes the request and returns the result to the attacker.\u003c/li\u003e\n\u003cli\u003eThe operator\u0026rsquo;s Google Cloud Platform (GCP) account is charged for the API usage.\u003c/li\u003e\n\u003cli\u003eAttacker repeats the process to exhaust the operator\u0026rsquo;s free credit or generate significant charges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can result in significant financial losses for the operator due to unauthorized Google Maps API usage. An attacker can quickly exhaust the $200/month free credit, potentially leading to substantial charges. The Places API pricing is roughly $17 per 1,000 requests, and a sustained 1 request/second flood can exhaust the credit in approximately 3 hours. Furthermore, the path injection vulnerability in the \u003ccode\u003eplace_id\u003c/code\u003e parameter allows attackers to manipulate the Places API endpoint, potentially forcing higher-cost API calls.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the suggested fix by adding a startup check in \u003ccode\u003eserver.py\u003c/code\u003e or \u003ccode\u003erun.py\u003c/code\u003e that exits if \u003ccode\u003eMCP_API_KEY\u003c/code\u003e is unset when using HTTP transport, preventing unauthenticated access (see \u003ccode\u003eserver.py\u003c/code\u003e lines 186-192).\u003c/li\u003e\n\u003cli\u003eUpdate the \u003ccode\u003e.env.example\u003c/code\u003e file to clearly indicate that setting \u003ccode\u003eMCP_API_KEY\u003c/code\u003e is required for HTTP transport (see \u003ccode\u003e.env.example\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAdd a warning to the README file before the ngrok instructions, emphasizing the importance of setting \u003ccode\u003eMCP_API_KEY\u003c/code\u003e to prevent unauthorized API calls (see README).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect gmaps-mcp Place ID Injection Attempt\u003c/code\u003e to identify potential path injection attacks via the \u003ccode\u003eplace_id\u003c/code\u003e parameter.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"/briefs/2024-01-30-gmaps-mcp-unauth-api/","summary":"The gmaps-mcp package allows unauthenticated access to Google Maps API calls when deployed with a blank MCP_API_KEY, potentially leading to significant financial costs for the operator; it also permits path injection attacks.","title":"gmaps-mcp Unauthenticated HTTP Transport Allows Unlimited Google Maps API Calls","url":"https://feed.craftedsignal.io/briefs/2024-01-30-gmaps-mcp-unauth-api/"}],"language":"en","title":"CraftedSignal Threat Feed — Googlemaps","version":"https://jsonfeed.org/version/1.1"}