Publicly Accessible API Key for Google Maps

I received an email from Google Cloud Platform saying my API Key (for Google Maps) is publicly accessible via my app.

I checked, and the key they reported is indeed the same key in my apps General → Settings.

I am hoping someone might be able to help me identify how this key is supposedly public? Being fairly novice I guess I assumed that placing the key in settings that it would not be publicly accessible from the front end of my app.

I am not sure whether to post publicly my apps URL but no doubt to help me you might want this…maybe I could add someone willing to assist as an admin on the site to take a look?

Anyways, really appreciate any advice if someone has time to spare!

Thanks!

They’re talking about how you have no controls on your key in Google.

But, last time I checked, Bubble doesn’t let you secure it further so I’m not sure there’s anything you can do about it.

This is an old issue.

Someone with a bigger axe to grind about this should chime in…

Hi Keith, Thanks for the quick reply (and kinda reassuring, only in that there is maybe nothing horribly wrong?)

Would be great to hear from others and maybe I should also ask Bubble just to keep the question alive over there as well?

Cheers Simon

If you search for this you’ll find it. AFAIK it’s a longstanding issue.

I got a similar email as well, recently.

In the email this is what they suggest as the next steps:

I wonder which one is our case and what exactly should we be doing. Would be great if someone can guide there.

@anon71899553 were you able to make any progress on this?

Hi @mghatiya

I contacted Bubble Support, and here is the conversation:

They first responded that:

" The official Bubble instructions for setting up these API keys can be found here: https://manual.bubble.io/help-guides/working-with-data/working-with-location-data. We recommend ensuring the proper referrer security protection is set in your Google Console. This will prevent unauthorized access even if the API key is available. We elaborate on this process for the Google API keys in this video. Therefore, if those steps have already been taken, your Google API key should be protected.

Please note that the keys are separated into “client” key and “server” key. The client key is meant to be exposed (but you can add restrictions to it), and the server key is kept protected.

This is the way that Bubble has the integration built into our system, and it is required that things are set up this way to use the built in functionality. You can of course use the API connector and custom calls if you’d like to explore setting up custom integrations that increase or change the security aspects of the integration."

I then followed up with:

"I have already set up according to the Bubble instructions.

So, does that mean:

1. Google reported a false positive

2. Bubble has a known issue that you cannot or will not correct?"

And they responded with:

"Thank you for following up. With the appropriate restrictions, the key might be public but other people won’t be able to use it since it’s attached to your domain. "

So that seems to mean the key might be visible (why on earth they would do that), but so long as we set up security as per the bubble instructions, that key will be useless to anyone.

We’ll keep getting Google’s adverse report but I don’t think there are negative consequences to that…they just warn you the key could be public and leave it at that. I have had no further followup from Google so far.

Hope that helps

Simpon

Thanks Simpon. That helps.