Unauthorized usage of External API Key (Usage of Google Maps API Key ==> $$$

> NOTE! Thanks for submitting a report! In order to make triage of vulnerabilities as streamlined as possible, please provide as much detail as possible. We have created a simple template which will aid in the submission process: **Summary:** [add summary of the vulnerability]: Badly configured Google Maps API allows anyone to perform financial damage to Glassdoor by performing queries which cost Glassdoor thousands of dollars and more. Affected URL or select Asset from In-Scope: https://www.glassdoor.com/jobs-ux-app/static/js/dist/jobSearch.bundle.js?v=9e1a1feryy Affected Parameter: Google's API key - AIzaSyAzyn67z-olqQZ0QBxFkCu71r_dMZ000wo which was not configured securely Vulnerability Type: Violation of Secure Design Principles Browsers tested: Not relevant for the report. ## Steps To Reproduce: (Add details for how we can reproduce the issue) 1. Browse the the Glassdoor website & use an intercepting proxy. 2. In your browsing history and cache, search for strings which start with "AIz" - which are usually Google Maps API Keys. 3. Find the key (AIzaSyAzyn67z-olqQZ0QBxFkCu71r_dMZ000wo) inside the URL - https://www.glassdoor.com/jobs-ux-app/static/js/dist/jobSearch.bundle.js?v=9e1a1feryy 4. Using the following Github (https://github.com/streaak/keyhacks#Google-Maps-API-key) search for the relevant tests for Google Maps API Key. From my testing, the API key can be used for "Static Maps". 5. In order to assure the API key can be used - go to "https://maps.googleapis.com/maps/api/staticmap?center=45%2C10&zoom=7&size=400x400&key=AIzaSyAzyn67z-olqQZ0QBxFkCu71r_dMZ000wo". If you see the Map, the API key can be used by anyone. 6. This means that anyone which wants to damage Glassdoor financially can use this API key hundreds of thousands of times and charge them. Each 1000 requests are 2$. This means that an automated request, performing thousands of queries per minute, can guarantee huge financial issues. ## Supporting Material/References (screenshots, logs, videos): * ##Impact Description: [add more details about this vulnerability] Potential Impact: Financial - Once an attacker finds this API key not protected, he can charge Glassdoor's account for thousands of dollars anytime. Details of exploitation scenarios: same as above. ## Impact Once an attacker finds this API key not protected, he can charge Glassdoor's account for thousands of dollars anytime.