‘Silent’ Google API key change exposed Gemini AI data
Summary
Researchers at Truffle Security discovered that Google Cloud API keys, traditionally used for billing, now also authenticate access to Gemini AI project data due to a silent change by Google. This allows anyone who scrapes the API keys from websites to access uploaded files, cached content, and consume tokens, potentially generating large bills for project owners.
IFF Assessment
The silent change in Google API key functionality creates a significant security risk for developers using the Gemini AI API.
Defender Context
Defenders need to be aware that publicly exposed Google API keys can now provide access to sensitive AI data stored in Gemini. Developers should migrate to more secure authentication methods like OAuth 2.0 and implement robust key management practices to prevent unauthorized access and unexpected billing charges. Organizations should monitor for leaked API keys and be aware of the increased risk of data exfiltration and resource abuse.