Researchers from Truffle Security have uncovered a significant security vulnerability involving Google Cloud API keys. These keys, typically used for billing with services like Maps or YouTube, can be scraped from websites, potentially granting access to sensitive data within the private Gemini AI project.
In a scan of websites conducted by Common Crawl in November, Truffle Security identified 2,863 active Google API keys that left numerous organizations vulnerable. This list included major financial institutions, security firms, global recruiting companies, and even Google itself.
This alarming security issue arose from a silent change in the status of Google Cloud Platform (GCP) API keys, a change that developers were not informed about.
Historical Context of API Keys
For over a decade, Google’s developer documentation has described these keys, which begin with the prefix 'Aiza', as tools for identifying projects for billing. Developers would generate these keys and place them in their client-side HTML code, making them publicly visible.
However, with the introduction of the Gemini API (Generative Language API) in late 2023, these keys also began functioning as authentication keys for sites using the Gemini AI Assistant.
No Warning for Developers
Developers often designed websites with basic features such as embedded Maps functions, which used the original public GCP API key for metering. When they later integrated Gemini into the project to provide a chatbot or other interactive features, the same key unexpectedly granted access to all data stored through the Gemini API. This included datasets, documents, and cached context. Given the nature of AI, retrieving this information could be as easy as asking Gemini to disclose it.
Risks of Exploitation
This access could be exploited to consume tokens through the API, potentially leading to substantial bills for the owners or depleting their quotas. According to Truffle Security, all an attacker needs to do is view a website’s source code and extract the key.
“Your public Maps key is now a Gemini credential. Anyone who scrapes it can access your uploaded files, cached content, and run up your AI bill,” the researchers emphasized. “Nobody informed you.”
API key exploitation is not merely a theoretical concern. In a separate incident, a student reportedly exposed a GCP API key on GitHub last June and incurred a staggering $55,444 bill, which Google later waived after the key was misused.
Google's Response
Truffle Security disclosed the issue to Google in November, and the company ultimately recognized it as a legitimate bug. After learning about the 2,863 exposed keys, Google took action to restrict them from accessing the Gemini API.
As of February 19, the 90-day bug disclosure window closed, with Google still working on a more comprehensive solution.
“The initial response was frustrating; our report was dismissed as ‘Intended Behavior.’ However, after providing concrete evidence from Google’s own infrastructure, the GCP VDP team took the issue seriously,” Truffle Security noted. “Building software at Google’s scale is extraordinarily complex, and the Gemini API inherited a key management system designed for a different era.”
Mitigation Steps
For site administrators concerned about this vulnerability, the first step is to check the GCP console for keys that specifically allow access to the Generative Language API. Additionally, they should look for unrestricted keys, which are now marked by a yellow warning icon, and verify whether any of these keys are publicly accessible.
Exposed keys should be rotated or regenerated, taking into account the potential impact on downstream applications that may have cached the old key.
This vulnerability highlights how seemingly minor oversights in cloud evolution can lead to significant, unforeseen consequences. Truffle Security noted that Google is now taking steps to address the API key issue, including ensuring that API keys created through AI Studio will default to Gemini-only access and implementing measures to block leaked keys while notifying customers when such incidents occur.
“We would appreciate if Google could undertake a retroactive audit of existing impacted keys and inform project owners who may be unknowingly exposed. However, we recognize that this is a monumental task,” Truffle Security concluded.
