Developers Weren’t Notified as Billing Identifiers Covertly Became Gemini Authentication Credentials.
Google Cloud API keys, traditionally serving as basic billing identifiers for services like Maps or YouTube APIs, were recently found by Truffle Security researchers to be vulnerable to website scraping, potentially granting unauthorized access to private Gemini AI project data.
A Common Crawl analysis of websites conducted by the firm in November revealed 2,863 active Google API keys that left various organizations exposed. This group encompassed “major financial institutions, cybersecurity firms, global recruitment agencies, and even Google itself,” Truffle Security reported.
This critical security flaw emerged due to an unannounced alteration in the functionality of Google Cloud Platform (GCP) API keys, a change Google failed to communicate to its developer community.
For over ten years, Google’s developer guides have characterized these keys, identifiable by the ‘Aiza’ prefix, solely as a mechanism for billing project usage. Developers would generate these keys and embed them directly into their client-side HTML, where they were publicly visible.
However, since the introduction of the Gemini API (Generative Language API) starting in late 2023, it appears these same keys began serving a dual role as authentication tokens for websites integrating the Gemini AI Assistant.
Absence of Notification
A developer might initially set up a website with simple functionalities, such as an embedded Maps feature, with its usage metered via the original public GCP API key. If Gemini was subsequently added to the same project—for instance, to provide a chatbot or another interactive element—that identical key inadvertently authenticated access to any data the owner had stored through the Gemini API, including datasets, documents, and cached context. Given the nature of AI, retrieving this data could be as straightforward as prompting Gemini to disclose it.
This same level of access could also be leveraged to incur substantial costs by consuming API tokens, potentially leading to large invoices for project owners or exhausting their allotted quotas, Truffle Security explained. An attacker would merely need to examine a site’s source code and extract the key.
“Your publicly available Maps key now doubles as a Gemini credential. Anyone who extracts it can access your uploaded files, cached information, and significantly inflate your AI expenses,” the researchers underscored. “You were never informed.”
The exploitation of API keys is not merely theoretical. In a separate incident last June, a student who reportedly disclosed a GCP API key on GitHub faced a $55,444 bill (later waived by Google) after it was retrieved and misused by others.
Truffle Security stated that it brought the key issue to Google’s attention in November, and Google eventually acknowledged it as a genuine bug. Upon learning about the 2,863 exposed keys, Google moved to restrict their access to the Gemini API.
The 90-day window for bug disclosure concluded on February 19, with Google reportedly still engaged in developing a more comprehensive solution.
“The initial review was disheartening; the report was categorized as ‘Intended Behavior.’ However, after presenting undeniable evidence from Google’s internal infrastructure, the GCP VDP team began treating the issue with the seriousness it deserved,” Truffle Security elaborated. “Developing software at Google’s immense scale is incredibly challenging, and the Gemini API adopted a key management framework designed for a bygone era.”
Remediation
For website administrators who are concerned, the first step is to verify in the GCP console for any keys specifically enabling the Generative Language API. Additionally, look for unrestricted keys, which are now indicated by a yellow warning icon. It’s crucial to ascertain if any of these keys are publicly accessible.
All compromised keys should undergo rotation or ‘regeneration,’ with a transition period allocated to manage the impact on any dependent applications that might still be using the old key.
This security flaw underscores how seemingly minor oversights in cloud evolution can lead to broader, unanticipated consequences. Truffle Security highlighted that Google has now outlined in its development roadmap that it is implementing measures to address the API key vulnerability: API keys generated via AI Studio will default to Gemini-exclusive access, and Google will also work to block detected leaked keys, notifying customers when such incidents occur.
“While we would welcome Google going further to retroactively audit existing affected keys and inform project owners who may be unknowingly exposed, we recognize that this would be an immense undertaking,” Truffle Security acknowledged.
This content was initially published on CSOonline.
