Problem
The Mapbox Api Key (Token) is hardcoded in the repository
Impact
What kind of vulnerability is it? Who is impacted?
Everyone with the access_token is authorized to use Mapbox under our account, generating clicks & costs on the behalf of match4healthcare
Patches
Has the problem been patched? What versions should users upgrade to?
The current key will expire in 7 days on 20 March 23:59 UTC
Please generate your own - for more details please look under Workarounds
The newest upcoming version 1.7 will fix it.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Restrict the allowed URLs to only our domains and rotate key.
For forks currently using our key, please visit mapbox and generate your own (testing) key.
If you expect more than 50.000 clicks please check their pricing page and / or contact their sales team if you need a special tier (e.g non-profit).
References
Are there any links users can visit to find out more?
https://docs.mapbox.com/accounts/overview/tokens/
https://docs.mapbox.com/accounts/overview/tokens/#url-restrictions
For more information
If you have any questions or comments about this advisory:
Problem
The Mapbox Api Key (Token) is hardcoded in the repository
Impact
What kind of vulnerability is it? Who is impacted?
Everyone with the access_token is authorized to use Mapbox under our account, generating clicks & costs on the behalf of match4healthcare
Patches
Has the problem been patched? What versions should users upgrade to?
The current key will expire in 7 days on 20 March 23:59 UTC
Please generate your own - for more details please look under Workarounds
The newest upcoming version 1.7 will fix it.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Restrict the allowed URLs to only our domains and rotate key.
For forks currently using our key, please visit mapbox and generate your own (testing) key.
If you expect more than 50.000 clicks please check their pricing page and / or contact their sales team if you need a special tier (e.g non-profit).
References
Are there any links users can visit to find out more?
https://docs.mapbox.com/accounts/overview/tokens/
https://docs.mapbox.com/accounts/overview/tokens/#url-restrictions
For more information
If you have any questions or comments about this advisory: