Flock Safety Hardcoded an ArcGIS API Key Across 53 Public Endpoints

TL;DR

A default ArcGIS API key tied to Flock Safety's mapping environment was embedded in 53 public-facing JavaScript bundles, granting access to 50 private ArcGIS items and a unified map that aggregates data from thousands of deployments. The hardcoded key was remediated after disclosure, but a separate unauthenticated ArcGIS token-minting issue remained unpatched 55+ days after notification.

What happened

A researcher found a default ArcGIS API key embedded in client-side JavaScript served from 53 publicly accessible Flock Safety front-end bundles and development subdomains. That single credential provided access to Flock's ArcGIS mapping environment and metadata showing 50 private ArcGIS items. Flock's map — marketed as FlockOS — consolidates camera inventories, license-plate detections, patrol car GPS, drone telemetry, body-camera locations, CAD/911 data and other surveillance layers from approximately 12,000 law enforcement, community and private deployments. The exposed key had no referrer, IP or scope restrictions, meaning anyone with the key could query the ArcGIS API and reach those layers. The researcher also disclosed a separate vulnerability that allows unauthenticated minting of ArcGIS tokens scoped to Flock's production environment; the default-key exposure was later remediated but the token-minting issue remained unpatched more than 55 days after disclosure.

Why it matters

• A single, unrestricted credential could be used to access consolidated surveillance layers drawing from thousands of agency and private deployments.
• The mapping stack contained sensitive operational data including live and historical patrol car locations, camera inventories, license-plate and people detection alerts, and 911 incident transcripts.
• Development environments were publicly accessible and configured with broader privileges than intended, increasing attack surface.
• Lack of basic protections — no referrer, IP allowlist or limited API scopes — violated recommended ArcGIS practices and amplified exposure risk.

Key facts

• 53 separate public-facing endpoints served the same default ArcGIS API key.
• The key granted access to 50 private ArcGIS items (portal:app:access:item privileges).
• Flock's unified mapping environment aggregates data from roughly 12,000 law enforcement, community and private deployments.
• Data at risk included ~5,000 police departments, ~6,000 community deployments, and ~1,000 private businesses (per the report).
• Exposed categories included camera deployments, patrol car GPS, Axon body-camera locations, people and vehicle detections, hotlists, CAD/911 incidents, and Flock911 transcripts.
• The exposed credential was the default API key auto-generated upon ArcGIS account creation (tagged appTitle: "Default API Key").
• No referrer restrictions, IP allowlists or scoped permissions were applied to the exposed key.
• The hardcoded-key issue was remediated following responsible disclosure; a related unauthenticated token-minting vulnerability remained unpatched 55+ days after reporting.
• Development sites were configured with broader access than production and were publicly accessible.

What to watch next

• Whether the unauthenticated ArcGIS token-minting vulnerability will be remediated promptly (report notes it was unpatched 55+ days after disclosure).
• Whether there is any evidence of active exploitation of the exposed API key or tokens (not confirmed in the source).
• Whether affected partner agencies and customers received notifications and audits of data access following disclosure (not confirmed in the source).

Quick glossary

• API key: A token used by applications to authenticate requests to a service and control access to specific resources.
• ArcGIS: A geographic information system (GIS) platform from Esri that provides mapping, spatial data and geospatial services.
• FlockOS: Flock Safety's ArcGIS-powered interface that consolidates multiple surveillance data streams onto a single map.
• Hardcoded credential: A secret (like an API key or password) embedded directly in application code or client-side assets, making it exposed to anyone who can read that code.
• Referrer restriction: A security control that limits API key use to requests originating from specified domains or origins.

Reader FAQ

Was the exposed default API key fixed?
Yes — the hardcoded default API key exposure was remediated following responsible disclosure; the report notes the default key fix status as fixed (June 2025).

What types of data were accessible via the exposed mapping layer?
Map layers included camera deployments, device status and serials, patrol car GPS, body-camera locations, people and vehicle detection alerts, hotlists, CAD/911 incidents and Flock911 transcripts.

How was the credential exposed?
The default ArcGIS API key appeared in client-side JavaScript bundles served from publicly accessible development subdomains without referrer, IP or scope restrictions.

Is there evidence the exposed key was abused?
Not confirmed in the source.

Sources

• Flock Hardcoded the Password for America's Surveillance Infrastructure 53 Times
• Flock Safety Offers No Cost Core APIs to Law Enforcement
• Introduction to API key authentication | Documentation
• Solved: Api Key issues

Related posts

• Iran’s government says it will ‘not back down’ amid ongoing internet blackout
• China-linked cybercriminals weaponized VMware ESXi zero-days a year early
• Why MCP’s Popularity Is Likely Temporary: Architectural Risks and Limits