This Student Ran Up a $55,444.78 Google Cloud Bill 💰😬

Reddit user  Sandrrikk on r//googlecloud accidentially committed his Google Cloud API key to his public GitHub repository for a side project he was build and the beginning of the summer. Like we’ve all done before, he commited  his code and proceeded to forget about the project over the coarse of the summer. Fast forward to the end of summer, and he gets an email from Google Cloud saying he owes them $55,444.78. 

An online user emailed him, saying that his API key had been compromised, and multiple bad actors were using his API key to run up a fat bill. 

To make matters worse, while customer support paiently listen to him while he plead his case, ultimately they told him to fork up the cash or his debt would go to collections. 

All because of a security vulnerability. 

While you might not have committed API keys to your GitHub project, or set your repo to public, API key exposure is one of the most common security vulnerabilities that I see on websites. Often times it stems from developers simply overlooking security measures, or misunderstanding the way environment variables are stored on the front-end. 

The primary thing to remember when it comes to environment variables for your application on the front-end is: nothing you store on the front-end is secure. Because the front-end part of your software application is completely open to anyone that visits your website, and it’s incredibly easy to view the front-end source code of any website, you should always assume that anything you store on the front-end can be compromised and implement your security standards with that in mind. 

To show you how easy it is, open up Google Chrome, right click, and open up the inspector console on a website. You will see a tab that says source on it, click it, and you are now viewing the folder structure and files of the website you are currently visiting. 

Often times, a developer will need to make a network request to a third party server like AWS, these services will verify you are a valid user by issuing an API key for your app to use their service. 

Since you can store environment variables on both the front and backend, sometimes developers will make the mistake of storing API keys on their front-end environments instead of the backend, which is a critical security flaw. On the back-end, unless you ssh into the server environment, or leverage more complicated cyber attacks, attackers don’t have access to your backend code or environment variables, making it the secure defect way to store sensitive environment variables. 

The front-end is a different story. 

Anyone can see the code you load into a browser by inspecting the source code, you can try it yourself by opening google chrome, right click, and select inspect. If you go over to the sources tab, you’ll see that a whole suite of files are available for you to browse through. Often times, developers will obsfucate their code, a process of changing the human readable naming conventions and formatting, into a jumbled mess of code that is still executable, but much harder for a human to decipher. Storing any sensitive information client side, allows anyone visiting your site to see anything you’ve stored there. If you were to store api keys for AWS for instance on your front-end, anyone could search through your client side code in their browser, steal your api key, and proceed to run up your cloud bill. 

To avoid this from happening, never store anything you’re not willing to have exposed to the public client side, put sensitive environment variables and any such logic that requires access to them on the back-end. This will keep your web-application secure and stop you from making an expensive security mistake.