Google API Keys Expose Gemini, Data, Bills

Security researchers at Truffle Security revealed in recent research that publicly accessible Google Cloud API keys can be weaponized to access sensitive Gemini AI endpoints. This critical vulnerability emerged after users enabled the Generative Language API, retroactively granting old billing keys new AI privileges. Consequently, these keys, designed for services like maps, became live credentials for AI models without warning.

The company discovered 2,863 such keys live on the public internet, according to their report. With a valid key, an attacker can access uploaded files and cached data while charging LLM usage to the victim’s account. Researcher Joe Leon emphasized that keys “now also authenticate to Gemini even though they were never intended for it.”

Meanwhile, a similar investigation by mobile security firm Quokka found over 35,000 unique Google API keys in Android apps. They warned that this “creates a risk profile that is materially different,” as detailed in their own analysis. The issue potentially allows for automated LLM requests and quota consumption, leading to massive bills.

Google has since addressed the problem, with a spokesperson confirming proactive measures are in place. However, the real-world impact may already be significant, as suggested by a user reporting exorbitant charges. Security strategist Tim Erlin noted this demonstrates how “risk is dynamic, and how APIs can be over-permissioned after the fact.”

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

• China Courts India Ahead of Key BRICS Leadership Handover
• Trump Media pledged 2,000 BTC as collateral in hedge deal
• Bitcoin Price Crashes Toward $60K Amid Israel-Iran Strike
• Bitcoin Dips 4% Amid Iran Strikes, Support Holds
• US AI Firm Clashes With Pentagon Over Military Use