Now google maps does not have any user specific data, so may be API_KEY abuse is not that big an issue.
Sentry suggests to not send any PII in the events anyway, so in case it was possible to get data somehow, at least the guidelines are clear.
But what about products like Intercom, where the primary functionality is collecting user data in some form or the other. If someone knows the unique id of another user in intercom, they can basically see all the data from the other user, their chats , their messages etc. Intercom is a completely frontend setup, where the request to the intercom script and the intercom server happen through the front end, so if the front end can get user’s data through intercom, then any other user can get another user’s data by initiating intercom with the other user’s id on their browser or directly using curl. There is no auth as such, there is an app key which is also completely frontend.
I am just trying to understand how do such applications secure themselves?
Some points about intercom:
- it opens in an iframe, with intercom.com domain
- possibly the api has CORS restrictions, so only requests from intercom.com domain are allowed, but these restrictions are not applicable for curl