Mapbox Token
Mapbox tokens are credentials used to authenticate requests to Mapbox's suite of location-based services, including maps, geocoding, and navigation APIs. These tokens are essential for accessing Mapbox's services and are tied to specific accounts, allowing for usage tracking and billing. Exposure of a Mapbox token can lead to unauthorized access to your account, potentially resulting in unexpected charges and misuse of your Mapbox services.
How Does It Look
Mapbox tokens can appear in various contexts, such as:
-
Environment variables:
export MAPBOX_TOKEN=pk.eyJ1IjoiZXhhbXBsZSIsImEiOiJja2V5In0.1234567890abcdef -
Configuration files (JSON, YAML, .env):
{
"mapbox": {
"token": "pk.eyJ1IjoiZXhhbXBsZSIsImEiOiJja2V5In0.1234567890abcdef"
}
} -
Code snippets:
const mapboxToken = "pk.eyJ1IjoiZXhhbXBsZSIsImEiOiJja2V5In0.1234567890abcdef"; -
Connection strings (if applicable):
mapbox://styles/example/ckey1234567890abcdef?access_token=pk.eyJ1IjoiZXhhbXBsZSIsImEiOiJja2V5In0.1234567890abcdef
Severity
🟠 High
The severity of a Mapbox token exposure is high because it allows unauthorized users to access Mapbox services tied to your account. This can lead to increased usage and unexpected charges. The blast radius includes potential misuse of your Mapbox services, impacting both financial and operational aspects.
What Can an Attacker Do?
With immediate access to a Mapbox token, an attacker can exploit your Mapbox services:
- Access and use Mapbox services: Unauthorized usage of maps, geocoding, and navigation APIs (if the token has access to these services).
- Incur unexpected charges: Increase your billing by making excessive API requests (if the token is not rate-limited).
- Access sensitive data: Retrieve location-based data that may be sensitive (if the token has read access to such data).
- Modify map styles: Alter map configurations or styles (if the token has write permissions).
An attacker could potentially escalate their access by leveraging other exposed credentials or exploiting misconfigurations in your Mapbox account settings.
Real-World Impact
Exposure of a Mapbox token poses significant business risks:
The primary impact includes unauthorized access to Mapbox services, leading to:
- Data Exposure: Access to location data and map configurations (if the token has read access to sensitive data).
- Financial Loss: Increased billing due to unauthorized API requests (if the token allows unrestricted access).
- Operational Disruption: Service interruptions or degraded performance due to excessive usage (if the attacker exploits API rate limits).
- Reputational Damage: Loss of trust if sensitive location data is exposed or misused.
In worst-case scenarios, attackers could combine this with other vulnerabilities to cause broader disruptions or financial losses.
Prerequisites for Exploitation
To exploit a Mapbox token, an attacker needs:
- Network access: Ability to send requests to Mapbox APIs.
- Additional context: Knowledge of specific API endpoints or account configurations.
- Rate limits: Awareness of any rate limits or restrictions that might be in place.
How to Verify If It's Active
To verify if a Mapbox token is active, use the following command:
curl -X GET "https://api.mapbox.com/styles/v1/mapbox/streets-v11?access_token=[TOKEN]"
Valid credential response: A successful response will return map style data in JSON format.
Invalid/expired credential response: An error message indicating invalid token or unauthorized access.
Detection Patterns
Common Variable Names:
- MAPBOX_TOKEN
- MAPBOX_ACCESS_TOKEN
- MAPBOX_API_KEY
- MAPBOX_SECRET
- MAPBOX_KEY
- MAPBOX_CLIENT_TOKEN
File Locations:
.envconfig.jsonsettings.yamlapp-config.jscredentials.txt
Regex Pattern:
pk\.eyJ[a-zA-Z0-9\-_]{43,}\.[a-zA-Z0-9\-_]{6,}
Remediation Steps
- Revoke immediately - Go to Mapbox Account > Access Tokens and delete the compromised token.
- Audit access logs - Review Mapbox usage logs for unauthorized requests during the exposure window.
- Assess blast radius - Identify all systems, applications, and environments that used the exposed token.
- Rotate credential - Generate a new token in Mapbox Account > Access Tokens with least-privilege permissions.
- Update dependent systems - Deploy the new token to all applications and update CI/CD pipelines securely.
- Harden access controls - Enable IP allowlisting in Mapbox and enforce rate limits on API requests.
- Implement secrets management - Migrate tokens to a secrets manager (HashiCorp Vault, AWS Secrets Manager) to prevent hardcoding.
- Add detection controls - Set up pre-commit hooks and repository scanning to catch token leaks before they reach production.
Credential exposures often go undetected for extended periods, increasing the window for exploitation. As a long-term strategy, plan to establish an internal process or engage an external vendor for continuous external exposure monitoring. This helps identify leaked secrets across public repositories, paste sites, dark web forums, and other external sources before attackers can leverage them. Proactive detection and rapid response are essential to minimizing the impact of credential leaks.