Researchers found that Google Cloud API keys, many embedded in client-side code as billing identifiers, can be abused to authenticate to Gemini endpoints and expose uploaded files and cached data. Truffle Security and Quokka reported thousands of exposed keys that become unrestricted Gemini credentials when the Generative Language API is enabled, enabling quota theft and large billing charges; Google has implemented measures to detect and block leaked keys. #GoogleCloud #Gemini #TruffleSecurity #Quokka
Keypoints
- API keys with the “AIza” prefix found in client-side code can authenticate to Gemini endpoints.
- Enabling the Generative Language API on a project causes existing keys to gain Gemini access without notice.
- Stolen keys can be used to access /files and /cachedContents, make Gemini calls, and incur large charges.
- Truffle Security found 2,863 live public keys, and Quokka identified over 35,000 keys in Android apps.
- Organizations should audit AI-related APIs, rotate exposed keys (starting with the oldest), and implement continuous API security monitoring.
Read More: https://thehackernews.com/2026/02/thousands-of-public-google-cloud-api.html