PUBLIC Google Cloud API keys have been exposed and could be used to authenticate to Gemini endpoints after enabling the Gemini API, researchers warn. New findings from Truffle Security identified 2,863 live Google API keys accessible on the public internet, many embedded in client-side code to support Google services like embedded maps. With a valid key, an attacker can access uploaded files, cached data, and even trigger Gemini calls, potentially incurring large charges.
The report notes that creating a new API key defaults to “Unrestricted,” meaning it could apply to every enabled API in the project, including Gemini. Google has told The Hacker News that it has “implemented proactive measures to detect and block leaked API keys that attempt to access the Gemini API,” according to A Google spokesperson. The researchers urge organisations to rotate keys if AI-related APIs are enabled and publicly accessible, and to review API usage and access as part of ongoing security testing.