Now google maps does not have any user specific data, so may be API_KEY abuse is not that big an issue.
But what about products like Intercom, where the primary functionality is collecting user data in some form or the other. If someone knows the unique id of another user in intercom, they can basically see all the data from the other user, their chats , their messages etc. Intercom is a completely frontend setup, where the request to the intercom script and the intercom server happen through the front end, so if the front end can get user's data through intercom, then any other user can get another user's data by initiating intercom with the other user's id on their browser or directly using curl. There is no auth as such, there is an app key which is also completely frontend.
I am just trying to understand how do such applications secure themselves?
Some points about intercom:
- it opens in an iframe, with intercom.com domain
- possibly the api has CORS restrictions, so only requests from intercom.com domain are allowed, but these restrictions are not applicable for curl
Nevermind. Turns out intercom allows enabling something called Identity Verification, where everytime you initialize intercom with a user id, you need to also send a user_hash, which is generated using a secret shared between you and intercom and is an HMAC created using the user_id.
This acts as a password that you have created for the user to log in to intercom. The unique id is comparable to your user Id, and the user_hash is comparable to your password. So your id might be easy to guess or be used in different places, the password (although being sent over the wire for initial login) would be more secure, and wouldn't be used directly at other places.
This would make it impossible for one user to impersonate another user, as the secret can't be leaked, and if you try logging with another user_id using your user_hash, intercom would disallow.