Flock Safety Exposed ArcGIS API Key Across 53 Public Assets, Compromising Surveillance Infrastructure
By
fuck_flock
The kind of bagel that ruins lesser bagels for you.
Summary
A security researcher discovered that Flock Safety, a surveillance technology company, had hardcoded a default ArcGIS API key across 53 public-facing assets, exposing the mapping infrastructure used by approximately 12,000 law enforcement agencies, community deployments, and private businesses. The vulnerability granted access to 50 private data layers containing sensitive information about police departments, community surveillance deployments, and private sector installations. The issue was remediated following responsible disclosure, but it highlights significant security risks in critical surveillance infrastructure.
Key quotes
· 5 pulledI discovered a Default ArcGIS API key embedded in Flock Safety's public-facing JavaScript bundles.
This single credential granted access to the company's ArcGIS mapping environment, and 50 private layers.
53 separate instances across public-facing assets compromising 50 data layers
~5,000 police departments, ~6,000 community deployments, and ~1,000 private businesses
A responsible disclosure documenting an organization-wide ArcGIS API key exposed across 53 public-facing assets
You might also wanna read
EFF Analysis Reveals Police Misuse of License Plate Reader Data for Non-Criminal Purposes
An EFF analysis of millions of police searches of Flock Safety automated license plate reader (ALPR) data reveals that without a warrant req
eff.org·2d ago
Dane County Ends Flock Safety AI Surveillance Contract After Funding Pulled
The Dane County Board of Supervisors pulled funding from a contract with Flock Safety, forcing the sheriff to stop using dozens of AI survei
boltsmag.org·10h ago