Google API Keys Remain Usable After Deletion for up to 23 Minutes, Report Says
Published
Key Takeaways
- Vulnerability Window: Google API keys remain active for up to 23 minutes post-deletion, a recent cybersecurity report warned.
- Exploitation Risks: Attackers could reportedly extract Gemini files, exfiltrate context, and accumulate severe charges.
- Google Response: The company labeled the propagation delay as intended and will not issue a fix.
A significant propagation delay in Google Cloud infrastructure was revealed, showing that Google API keys can remain usable for up to 23 minutes after a user deletes them. Across 10 trials conducted over two days, the revocation window averaged 16 minutes, Security researchers at Aikido have discovered.
Propagation Delays and Infrastructure Exploitation
According to Aikido security researchers, the revocation state propagates gradually across Google's architecture. While some servers reject the deleted key within seconds, others continue to accept authentication requests for nearly 23 minutes.
To measure this delay, researchers generated an API key, deleted it, and subsequently transmitted three to five authenticated requests per second until the servers ceased returning valid responses.
This asynchronous update creates a critical window of opportunity for threat actors. During this timeframe, an attacker holding a compromised key can repeatedly send high-volume requests until they reach a server that has not yet processed the deletion.
The researchers noted that this access allows unauthorized users to run up substantial compute charges, pull sensitive files uploaded to Gemini, and exfiltrate cached conversational context. “If Gemini is enabled on the project, attackers can dump files you have uploaded and exfiltrate cached conversations”, the report said.
Two other Google credential types were also tested:
- New Gemini API keys (AQ. prefix). Deletion propagated in ~1 minute.
- Google Service Account keys. Deletion propagated in ~5 seconds.
Regional Testing and Vendor Response
Aikido validated these findings across multiple Google Cloud computing regions, specifically targeting the U.S. East Coast, Western Europe, and Southeast Asia. The delayed revocation behavior remained consistent across various key scopes, impacting infrastructure APIs including Gemini, BigQuery, and Maps.
Despite the documented risks to developers, Google informed Aikido that it has no plans to address the credential revocation gap.
The technology vendor officially closed the vulnerability report as "Won't Fix (Infeasible)," stating that the delay due to the propagation of key deletion is working exactly as intended.
A February Google report said State-Backed Hackers Use Gemini AI for Cyberattacks Aimed at Cyber Espionage.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular