Ultimate Guide: Flock Hardcoded The Password For America's Surveillance...

I discovered a Default ArcGIS API key embedded in Flock Safety's public-facing JavaScript bundles. This single credential granted access to the company's ArcGIS mapping environment, and 50 private layers, the same infrastructure that consolidates license plate detections, patrol car locations, drone telemetry, body camera locations, 911 call data, and surveillance camera locations from approximately 12,000 law enforcement, community, and private sector deployments nationwide.

The key was not restricted by referrer, IP, or origin allowing it to be used by anyone, anywhere. It was exposed publicly across 53 separate Flock Safety front-end bundles and environments, each instance independently granting access to their ArcGIS mapping platform.

Across the United States, license plate readers, drones, and audio sensors quietly record the movements of millions of people every day. Flock Safety operates one of the largest and most rapidly expanding of these networks, with hundreds of thousands of cameras generating over 30 billion vehicle detections each month, and an undisclosed amount of people detections.

At the center of this infrastructure is FlockOS, which Flock markets under the headline "One map. Smarter Response." According to their own documentation, the ArcGIS-powered interface "consolidates all data streams and the locations of each connected asset, enabling greater situational awareness and a common operating procedure." (Source: ClearGov Resource Document)

That "one map" is not a metaphor. It is the ArcGIS stack itself and the exposed API key unlocked it.

The exposed credential was an organization-wide ArcGIS API key tied directly to Flock Safety's ArcGIS mapping environment. It appeared in client-side JavaScript bundles served from development subdomains that were publicly accessible.

Querying the ArcGIS API with this key returned metadata confirming its scope and the extent of Flock's misconfiguration:

The credential was tagged appTitle: "Default API Key", the auto-generated key Esri creates at account signup. According to Esri's ArcGIS documentation:

The key's metadata listed 50 "portal:app:access:item: privileges each granting access to a private ArcGIS item.

Given Flock's centralized "one map" architecture where participating agencies contribute data to shared, Flock-owned layers rather than maintaining separate instances each of those 50 private items likely aggregates data from hundreds or thousands of agencies. A single Detections lay

Source: HackerNews