Google API keys are credentials that let applications access Google services, from Maps to the Gemini AI. If a key is leaked, an attacker can use it to make API calls, rack up charges, and, if Gemini is enabled, access uploaded files and cached conversations.
The assumed fix is simple: delete the key. But Aikido Security has found that deletion doesn’t actually work right away.
The testing
The researcherd found successful authentications up to 23 minutes after a key was deleted, with a median window of around 16 minutes across ten trials performed in two days.
“In each trial, we created an API key, deleted it, and sent 3-5 authenticated requests per second until no valid response came back for several minutes,” they noted.
“For completeness, we also spot checked our work a few weeks later to ensure the behavior we saw was not due to transient network issues.”
Many of Google Cloud’s services are “eventually consistent” by design, meaning updates propagate gradually across servers rather than all at once. This tradeoff lets Google scale globally and stay fast, but when it comes to authentication, this may lead to problems.
The problem is made worse by misleading UI, they added. Google’s deletion dialog states the key “can no longer be used to make API requests”, but the researchers’ tests showed otherwise.
Finally, there’s no way for users to confirm when the key has fully stopped working, or to speed up the key deletion process.
A warning for users
“Our trials all used keys with access to Gemini, but we observed the same behavior with keys scoped to other GCP APIs, such as BigQuery and Maps. The delay is a property of the credential type, not of which APIs are enabled on the project,” they discovered.
They also tested the revocation process of Google Service Account keys and a newer format of API key specifically for the Gemini API. They found that the revocation window for those was approximately 5 seconds, and 1 minute (respectively).
This suggests that faster revocation is technically achievable at Google’s scale but, according to the researchers, Google doesn’t intend to fix this as it’s “a known property of the system and not a security issue.”
They may change their mind, but in the meantime, users who want to delete a Google API key should be aware of this, and treat key deletion as a 30-minute operation and, during that window, monitor API usage in the GCP console under “Enabled APIs and services”.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
