Google API Keys Remain Active for Up to 23 Minutes Despite Deletion, Researchers Find

Google API Key Deletion Delay Raises Security Concerns

Researchers at Aikido Security have discovered a critical flaw in Google’s API key management system, which allows deleted keys to continue functioning for up to 23 minutes.

Security Risks Associated with API Keys

API keys, which grant access to various Google services such as Maps and the Gemini AI, can be compromised if leaked. An attacker can utilize a stolen key to execute API calls, accumulate charges, and, if Gemini is enabled, access sensitive data and cached conversations.

Vulnerability Details

• Aikido Security conducted extensive testing, creating and deleting API keys, and sending multiple authentication requests per second.
• They observed successful authentications up to 23 minutes post-deletion, with a median window of approximately 16 minutes across ten trials.
• The issue was verified through repeated spot checks to rule out any transient network issues.

Impact on Google Cloud Services

The vulnerability affects not only Gemini-enabled keys but also those scoped to other GCP APIs, including BigQuery and Maps. The delay in key deactivation is a characteristic of the credential type, rather than the specific API enabled on the project.

Revocation Process

The researchers also examined the revocation process for Google Service Account keys and a newer format of API key specifically designed for the Gemini API. They found that the revocation window for these keys is significantly shorter, ranging from approximately 5 seconds to 1 minute, respectively.

Recommendations

Users should be aware of the potential risks associated with API key deletion. Organizations should consider treating key deletion as a 30-minute operation and closely monitor API usage during this period to mitigate potential security threats.

About Author

Anuj

See author's posts