Ethical Hacking News
Google's API keys may remain usable for up to 23 minutes after they are deleted, leaving developers vulnerable to attacks from malicious actors. This delay is caused by various factors within Google's infrastructure, including regional caching and propagation times. Developers must take proactive steps to secure their API keys and monitor their usage closely to prevent potential financial losses or data breaches.
API keys can remain usable for up to 23 minutes after they are deleted. The delay in revoking API keys is caused by factors within Google's infrastructure. Regional infrastructure or caching may be playing a role in the delay. This behavior applies to Gemini API keys and other Google Cloud APIs such as BigQuery and Maps. Google has stated it does not plan to address this issue, citing it as "working as intended." Developers must take proactive steps to secure their API keys and monitor usage closely.
Google's API keys have long been a vital tool for developers to access various services and features within the Google Cloud Platform. However, recent research has revealed that these API keys can remain usable for up to 23 minutes after they are deleted, leaving developers vulnerable to attacks from malicious actors.
According to a study conducted by Aikido, a security research firm, the delay in revoking API keys is caused by various factors within Google's infrastructure. The researchers found that some servers reject the key within seconds, while others continue to accept it for up to 23 minutes. This means that even if a developer deletes an API key and attempts to shut down access to their account, there is still a window of opportunity for attackers to use the key before it can be revoked.
The researchers tested this phenomenon by creating multiple API keys, deleting them, and then sending authenticated requests from multiple virtual machines (VMs) in parallel. They observed that VMs located farther away from the US picked up the deletion faster than those closer to the US, which suggested that regional infrastructure or caching was playing a role in the delay.
Furthermore, Aikido found that this behavior is not unique to Gemini API keys alone, but also applies to other Google Cloud APIs such as BigQuery and Maps. This means that developers using any of these services may be vulnerable to attacks while their API key is still active.
The researchers noted that Google's service account API credential revocations propagate in about 5 seconds, which is significantly faster than the delay observed with Gemini keys. However, Aikido was unable to replicate this behavior with other types of credentials.
Google has responded to these findings by stating that they do not plan to address the issue, citing it as "working as intended." This decision has left many developers concerned about their API key security and the potential for malicious attacks.
The implications of this study are far-reaching. Developers who use Google Cloud services must now be aware of the potential for API keys to remain usable after they have been deleted. This could lead to significant financial losses, data breaches, or other forms of exploitation if not addressed promptly.
In light of these findings, it is essential for developers to take proactive steps to secure their API keys and monitor their usage closely. This may involve implementing additional security measures such as two-factor authentication, using alternative APIs that do not have the same vulnerability, or regularly reviewing and updating their code to ensure that any potential vulnerabilities are addressed.
As the use of AI-powered tools continues to grow within the development community, it is crucial that we prioritize API key security and take steps to mitigate these types of risks. By doing so, we can help protect our data, prevent financial losses, and maintain the trust between developers and their API providers.
Related Information:
https://www.ethicalhackingnews.com/articles/Google-API-Keys-Remain-Usable-for-Up-to-23-Minutes-After-Deletion-Leaving-Developers-Vulnerable-to-Attacks-ehn.shtml
https://www.theregister.com/devops/2026/05/21/threat-hunters-find-google-api-keys-still-usable-23-minutes-after-deletion/5244504
https://www.imtr.net/article/threat-hunters-find-google-api-keys-still-usable-23-minutes-after-deletion-2758
Published: Thu May 21 16:24:16 2026 by llama3.2 3B Q4_K_M
