My First Accepted HackerOne Report: Finding Exposed Weglot API Keys Across 5 Targets

Good evening everyone. This writeup is about my first report accepted on HackerOne and how I found the same issue on 5 different targets.

Ziadali

~2 min read · April 15, 2026 (Updated: April 15, 2026) · Free: Yes

Today we'll talk about Weglot API keys.

What is Weglot?

Weglot is a paid translation service used by many websites to provide multilingual content. It works through an API that handles translation requests.

How I Found It

While testing websites, I checked the page source and JavaScript files.

A common indicator was keys or variables starting with:

wg_

Sometimes these values appeared directly in the HTML source, and sometimes inside linked .js files.

Quick Recon Method

Open the target website
View page source
Search for: weglot
Search for keys starting with: wg_

If you find an exposed API key, test whether it is still active.

Proof of Concept Request

I tested the key using a translation request like this:

curl -X POST \
'https://api.weglot.com/translate?api_key=wg_*******' \
-H 'Content-Type: application/json' \
-d '{
  "l_from":"en",
  "l_to":"fr",
  "request_url":"https://www.google.com/",
  "words":[
    {"w":"This is a blue car","t":1},
    {"w":"This is a black car","t":1}
  ]
}'

If the API returns translated content successfully, the key is active and usable.

Why This Matters

An exposed third-party API key can lead to:

Unauthorized use of a paid service
Resource abuse
Unexpected billing costs
Loss of control over external integrations