Google API Keys Stay Live for 23 Minutes After Revocation, Extending Gemini Abuse Risk
Updated
Updated · TechCrunch · May 24
Google API Keys Stay Live for 23 Minutes After Revocation, Extending Gemini Abuse Risk
1 articles · Updated · TechCrunch · May 24
Aikido found compromised Google API keys can keep authenticating for up to 23 minutes after deletion, leaving a window for attackers to continue hitting Gemini services.
Joseph Leon said success rates during that lag were erratic but sometimes topped 90% in a given minute, allowing exfiltration of files and cached Gemini conversation data.
The finding follows reports that Google-expanded key permissions let publicly exposed Maps keys access Gemini, triggering five-figure bills including $10,138 in 30 minutes and about AUD $17,000 for another developer.
Google refunded affected users but told The Register it will keep automatic billing tier upgrades that can raise limits to $100,000, prioritizing service continuity over user-set budget caps.
Google Cloud COO Francis de Souza is urging companies to build AI security in from the start, but the revocation lag highlights a gap between that advice and Google’s own platform safeguards.
Is your public API key a ticking time bomb, silently granting access to costly new AI services?
With AI finding thousands of new bugs, is the 'bug-pocalypse' making cyber defense an impossible fight?
Exposed for 23 Minutes: The Hidden Dangers of Delayed Google API Key Revocation
Overview
A major security issue was discovered by Aikido, revealing that when a Google API key is deleted, it can still be used for up to 23 minutes because revocation takes time to spread across Google’s infrastructure. This delay is not limited to one service but affects various Google Cloud APIs like BigQuery and Maps. During this window, attackers may unpredictably succeed in using the compromised key, making immediate deletion ineffective for stopping misuse. The problem is rooted in how Google’s system handles key revocation, highlighting a critical gap in API key security that puts sensitive data at risk.