Threat hunters find Google API keys still usable 23 minutes after deletion

https://image.theregister.com/5244583.jpg?imageId=5244583&x=0&y=0&cropw=100&croph=100&panox=0&panoy=0&panow=100&panoh=100&width=1200&height=683

Plenty of time for bad actors to grab data or hit you with a giant bill

You know your Google API key has leaked so you rush to disable it before bad actors can start running up charges on your account. Bad news: According to security researchers at Aikido, people can use the API keys for up to 23 minutes after a user deletes them, creating a window of opportunity that, when combined with Google’s automatic billing tier upgrades, can devastate victims.

“We've identified a substantial window where an attacker with access to a leaked Google API key can continue to misuse that credential, after the user believes the key is revoked,” Joseph Leon, a security researcher with Aikido, told The Register. “In that window, an attacker could run up charges, pull sensitive files uploaded to Gemini, and exfiltrate cached context.”

Aikido tested the gap during 10 trials over two...

Copyright of this story solely belongs to theregister.com. To see the full text click HERE

Read more