Sourav Sahana


Sourav Sahana Uncategorized Basetrip API Key Exposure

Basetrip API Key Exposure

In June 2020, I found an Basetrip API Key exposing publicly in an android source code. That application has a bug bounty program in Bugcrowd , I reported the issue and my report Triaged.

Category: Sensitive Data Exposure > Critically Sensitive Data > Private API Keys

Status: Triaged

Bounty: Points

You can use apktool to decompile an apk and find these hard coded secret keys.

Let’s directly jump into the POC and cURL request:


curl --request GET --url '' --header 'Accept: application/json' --header 'x-api-key: <API_KEY>

You will get a valid response if the key is active/valid.

Leave a Reply

Your email address will not be published. Required fields are marked *

TopBack to Top