A critical privilege escalation vulnerability affecting Google Cloud API keys specifically how legacy public-facing keys now silently grant unauthorized access to Google’s Gemini AI endpoints, exposing private files, cached data, and billable AI usage to attackers.
For over a decade, Google explicitly instructed developers to embed API keys formatted as AIza... strings directly into client-side HTML and JavaScript.
Firebase’s official security checklist stated that API keys are not secrets, and Google Maps documentation directed developers to paste keys publicly into web pages. These keys were designed as project identifiers for billing, not as authentication credentials. That guidance is now dangerously outdated.
When the Gemini API (Generative Language API) is enabled on a Google Cloud project, every existing API key in that project silently inherits access to sensitive Gemini endpoints — with no warning, no confirmation dialog, and no email notification to the developer.
A key deployed three years ago to render a Maps embed can overnight become a live credential capable of accessing uploaded AI files, cached context, and billable inference services.
Researchers at Truffle Security have found out why this situation is a privilege escalation and not just a simple misconfiguration. The key factor is the order of events. A developer followed Google’s guidelines by placing a Maps API key in public JavaScript. Later, another team member activated the Gemini API on the same cloud project.
The public key immediately gained access to sensitive Gemini endpoints, and the original developer was never notified.
The vulnerability roots lie in two recognized weaknesses: CWE-1188 (Insecure Default Initialization) and CWE-269 (Incorrect Privilege Assignment). By default, new API keys in Google Cloud are set to “Unrestricted,” meaning they can access every enabled API in the project from the moment of creation, including Gemini.
What Attackers Can Do
The attack requires zero infrastructure access. An attacker visits a public website, extracts the AIza... key from the page source, and queries the Gemini API directly:
textcurl "https://generativelanguage.googleapis.com/v1beta/files?key=$API_KEY"
A successful response returns a 200 OK, opening access to:
- Private file and cached data — The
/files/and/cachedContents/endpoints can expose uploaded datasets, documents, and stored AI context - Financial damage — Attackers can exhaust Gemini API quotas or generate thousands of dollars in daily charges against the victim’s billing account
- Service disruption — Quota exhaustion can completely shut down legitimate Gemini-powered services
Truffle Security scanned the November 2025 Common Crawl dataset, a ~700 TiB archive of publicly scraped web content, and identified 2,863 live Google API keys vulnerable to this vector.
Affected organizations included major financial institutions, security firms, global recruiting companies, and Google itself. Researchers confirmed that at least one key embedded on a Google product website since February 2023, predating Gemini’s existence entirely, had silently gained full access to Gemini’s model endpoints.
Google has outlined a remediation roadmap that includes scoped defaults for AI Studio keys (Gemini-only access by default), automated blocking of leaked keys discovered in the wild, and proactive notifications to developers when exposed keys are identified.
However, researchers note that the root-cause fix was still in progress as of the disclosure date, and no confirmation of a complete architectural remedy has been issued.
What Developers Should Do Now
Organizations using any Google Cloud service, such as Maps, Firebase, YouTube Data API, or others, should take immediate action:
- Audit all GCP projects — Navigate to APIs & Services > Enabled APIs and check for the “Generative Language API” across every project
- Inspect API key configurations — Flag any unrestricted keys or keys that explicitly permit the Generative Language API
- Verify no keys are public — Search client-side JavaScript, public repositories, and CI/CD pipelines for any exposed
AIza...strings - Rotate all exposed keys immediately — Prioritize older keys deployed under the previous “keys are safe to share” guidance
- Use TruffleHog for scanning — Run
trufflehog filesystem /path/to/your/code --only-verifiedto detect live, verified Gemini-accessible keys in codebases
The pattern exposed here, of public identifiers quietly gaining sensitive AI privileges, is unlikely to be unique to Google. As AI capabilities are bolted onto existing platforms across the industry, the attack surface for legacy credentials will continue to expand in ways no one originally anticipated.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
