[BUG] Hardcoded ipgeolocation.io API Key Exposed in Public JavaScript Bundle on plotly.com

[pand-coder]

Summary

An ipgeolocation.io API key is hardcoded and exposed in a publicly accessible JavaScript bundle on plotly.com.

Location

File:
https://plotly.com/_next/static/chunks/8234-18cc4753646c1c12.js

Exposed Code Snippet

let y=async e=>{
    try{
        return(
            await f.Z.get(
                "https://api.ipgeolocation.io/ipgeo?apiKey="
                .concat("b71dcb53b0804c5898a9540dd7d1c6e7","&ip=")
                .concat(e)
            )
        ).data
    }catch(e){
        return null
    }
};

Impact

• Anyone visiting plotly.com can extract this API key.
• The exposed key can be used to make unauthorized requests to ipgeolocation.io.
• Potential risks include:
  • API quota exhaustion
  • Unexpected billing charges
  • Abuse of the service under Plotly's account

Proof of Concept

Screenshot 1 – API Key Exposure in JavaScript Bundle

Screenshot 2 – Tested the api by making the curl request

Screenshot 3 – Successful Unauthorized API Request Using Extracted Key

Vulnerability Name

Sensitive Information Exposure / Hardcoded API Key Disclosure

CWE Classification

• CWE-798 — Use of Hard-coded Credentials
• CWE-200 — Exposure of Sensitive Information to an Unauthorized Actor

CVSS v3.1 Score

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Base Score: 6.5 Medium

Severity Description

The application exposes a hardcoded third-party API key inside a publicly accessible JavaScript bundle. An attacker can extract and reuse the key to perform unauthorized requests against the associated service, potentially leading to API abuse, quota exhaustion, and unexpected billing charges.