Spaces:

protocol-jarvis
/

Jarvis_protocol

Running

Live API key exposed in your public Hugging Face Space

by Dante45 - opened 5 days ago

Summary:
A valid, active Google API key was found hardcoded in a public Hugging Face Space. The key was created on 2026-04-13 and is currently usable.

Steps to Reproduce:

Visit the Space: https://huggingface.co/spaces/protocol-jarvis/Jarvis_protocol
View the file: index.html
The key appears as: AIzaSyAjGP... (full key withheld)

Impact:
An attacker could use this key to:

Incur significant API costs on your account
Access any associated data or services
Potentially pivot to internal resources if the key has broad permissions

Recommendation:

Immediately revoke the exposed key via your [provider] dashboard
Use Hugging Face Secrets (environment variables) instead of hardcoding
Rotate any other keys that may share the same pattern

Proof of Concept (Safe):
I validated the key using the provider's free /models endpoint, which confirmed it is active. No paid API calls were made.

Disclosure:
I am a 16yr old bug hunter reporting this in good faith. I have not shared or abused this key. Am saving to buy a new pc.

Request:
Does your organization have a bug bounty program? I would like to submit this for consideration and have a great day.

Upload images, audio, and videos by dragging in the text input, pasting, or clicking here.

Tap or paste here to upload images

· Sign up or log in to comment