3 min read
[AI Minor News]
🏠 Home Blog Is the 'Common Knowl...

Is the 'Common Knowledge' About Google API Keys Crumbling? Gemini Activation Turns Public Keys into Data Breach Traps

#Google #Gemini #Security #API Keys

A vulnerability has been discovered where API keys, previously deemed safe for public use like in Google Maps, gain unauthorized access to sensitive data upon enabling the Gemini API.

※この記事はアフィリエイト広告を含みます

[AI Minor News Flash] Is the ‘Common Knowledge’ About Google API Keys Crumbling? Gemini Activation Turns Public Keys into Data Breach Traps

📰 News Overview

  • Google Cloud API keys (in the format of AIza…) have long been treated as “safe identifiers to embed in public code” for services like Maps and Firebase.
  • It has been revealed that enabling the Gemini API (Generative Language API) within the same project allows these previously public keys to function as Gemini authentication keys without any warnings.
  • Investigations have found that about 3,000 Google API keys publicly available online inadvertently possess full access rights to Gemini.

💡 Key Points

  • Retroactive Permission Escalation: A key created for Maps three years ago suddenly transforms into a “passport to confidential information” the moment Gemini API is enabled.
  • Unsafe Default Settings: Newly created API keys are set to “unlimited” by default, granting immediate access to all APIs (including Gemini) within the project.
  • Risk of Real Damage: Attackers can simply pick up the exposed keys and gain access to victims’ uploaded files and cached data, potentially charging the victims for LLM usage on their accounts.

🦈 Shark’s Eye (Curator’s Perspective)

The fact that a “public identifier” can suddenly be upgraded to a “secret key” is a developer’s nightmare! Google has previously stated that ‘API keys are not secrets,’ making this issue even more serious. The design where keys written directly in HTML, as per Maps documentation, could become backdoors for Gemini is extremely dangerous. It’s shocking to hear that even old public keys with access to Google’s internal Gemini were found, as pointed out by Truffle Security!

🚀 What’s Next?

Developers using Google Cloud need to apply “API restrictions” to all existing API keys and explicitly prohibit access to sensitive services like Gemini. In the future, a clear separation between “public keys” and “secret keys” will be essential at the architectural level.

💬 Sharky’s Take

This vulnerability is sharper than a shark’s tooth! This is a classic example of how the old adage, “We’ve always done it this way, so it’s fine,” has been turned upside down by the advent of AI. Everyone needs to check their website’s source code right now! 🦈🔥

📚 Glossary

  • Generative Language API: The official Google API for using the Gemini model programmatically.

  • Privilege Escalation: Acquiring elevated access rights that should not be available, often by exploiting flaws in the system.

  • CWE-1188: Refers to the vulnerability type known as “Initialization with Unsafe Default Values.” The issue with Gemini keys being completely open by default falls under this category.

  • Source: Google API keys weren’t secrets, but then Gemini changed the rules

🦈 はるサメ厳選!イチオシAI関連
🦈 司令官の愛用品(変換の定番)
🔌
Anker USB-C & USB 3.0 変換アダプタ
「1万回の抜き差しに耐える強靱さ。2個セットでコスパも最強だサメ!」
Amazonでチェック
【免責事項 / Disclaimer / 免责声明】
JP: 本記事はAIによって構成され、運営者が内容の確認・管理を行っています。情報の正確性は保証せず、外部サイトのコンテンツには一切の責任を負いません。
EN: This article was structured by AI and is verified and managed by the operator. Accuracy is not guaranteed, and we assume no responsibility for external content.
ZH: 本文由AI构建,并由运营者进行内容确认与管理。不保证准确性,也不对外部网站的内容承担任何责任。
🦈 More from the Deep Sea
Google DeepMind "Game Arena" Update: Testing AI Negotiation and Risk Management via Werewolf and Poker Securing AI Agents on Linux: A Lightweight Sandboxing Guide using bubblewrap Stop AI Agents from Going Rogue! Introducing 'Matchlock' - a 1-Second Boot Isolation Environment
🦈