Thousands of Public Google Cloud API Keys Exposed with Gemini Access After API Enablement
Summary
Truffle Security discovered nearly 3,000 exposed Google Cloud API keys with the prefix 'AIza' embedded in client-side code that can authenticate to sensitive Gemini endpoints. These exposed keys could be abused to access private data and authenticate to Google AI services.
IFF Assessment
Exposed API keys with Gemini access represent a significant security risk allowing unauthorized authentication and potential data exfiltration from AI services.
Defender Context
Defenders should audit their Google Cloud infrastructure for exposed API keys in client-side code and implement API key rotation policies immediately. This incident highlights the critical need for secrets management tools, environment variable best practices, and monitoring for API key misuse. Organizations using Google Cloud and Gemini should review access logs and consider restricting API key scopes and implementing IP-based access controls.