Google API keys can still be used for as long as 23 minutes after users delete them, according to recent tests by security firm Aikido. This vulnerability creates a dangerous window wherein cybercriminals can rack up huge charges and extract sensitive data before the keys are fully revoked.
- API keys remain valid on some Google servers for an average of 16 minutes after deletion.
- Attackers can rack up multi-thousand-dollar bills via automated tier upgrades.
- Sensitive files and cached data from Gemini-enabled projects may be stolen.
What happened
Security researchers at Aikido conducted tests revealing that Google API keys do not become instantly inactive upon deletion. Instead, they remain functional on certain servers for a period that averaged 16 minutes and sometimes lasted up to 23 minutes. By sending repeated authenticated requests after the keys were deleted, researchers confirmed some servers accepted the keys during this extended window, allowing persistent unauthorized access.
This delay arises due to gradual propagation of the revocation signal across Google's global infrastructure. Consequently, an attacker who has gained access to a compromised API key can continue exploiting it post-deletion, escalating usage charges and potentially accessing private data hosted on Google services like Gemini, which stores cached context and user-uploaded files.
Why it matters
The revocation lag exposes users to significant financial and data security risks. Google’s billing system compounds this threat by automatically upgrading spending tiers without user consent when usage spikes. Accounts with over $1,000 in lifetime spending may see caps jump from $250 to as high as $100,000, enabling attackers to incur large bills rapidly using stolen API keys.
Victims of these exploits have reported unauthorized charges reaching five figures within minutes of the breach. Beyond financial losses, sensitive information related to Gemini AI models can be exfiltrated during this vulnerability window. Google has refunded some users after reported incidents, but numerous developers remain exposed to both monetary damages and data compromise while the revocation delay persists.
What to watch next
Security teams and developers using Google Cloud services should closely monitor their API key usage and consider additional safeguards, such as rotating keys frequently and implementing usage alerts. Google’s response to these findings is critical; updates to accelerate key revocation propagation could significantly reduce attacker dwell time and mitigate risks.
Industry observers will be watching to see if Google revises its billing policies to provide clearer controls over automatic spending tier upgrades, helping users avoid unexpected charges. Meanwhile, similar vulnerabilities have been noted in other cloud providers like AWS, underscoring the need for continued vigilance and improvements in cloud credential management across the sector.