An expert thinks... After years of using Google APIs, some vulnerabilities remain unaddressed. According to Aikido researcher Joseph Leon, leaked Google API keys can still be used for up to 23 minutes post-deletion, creating a window of opportunity for attackers. This raises concerns over data privacy and potential misuse. Developers who relied on Google’s billing policy to manage costs now face unexpected financial consequences when their credentials fall into the wrong hands. In one instance, a developer’s account was hit hard, with bills skyrocketing to five figures within minutes. Leon explains that this gap highlights a critical flaw in Google’s infrastructure—security researchers have found that even after a key is deleted, its ability to propagate across Google’s systems remains intact. With Gemini access enabled, attackers can exfiltrate files and cache data before the key expires, posing a real threat. However, Google has yet to address this issue, leaving users and developers to grapple with ongoing challenges. What makes this particularly fascinating is how easily these vulnerabilities can exploit the system’s design flaws. From my perspective, this underscores the importance of continuous monitoring and proactive security measures.
