- Aikido researchers find Google API keys remain usable for up to 23 minutes after deletion
- Success rates varied across trials, with Gemini‑enabled projects especially vulnerable to stolen files and cached conversations
- Google dismisses issue as propagation delay, but Aikido advises treating deletion as a 30‑minute window and monitoring for unexpected usage
If, when you delete a Google API key, expect it to no longer work – effective immediately – we have a surprise for you.
Researchers from Aikido found users can successfully authenticate up to 23 minutes after deletion, creating a gigantic security risk and a major opportunity for threat actors.
The worst part is that users have almost no way of knowing when the authentication window closes and can do absolutely nothing to speed it up.
“False statements”
In its report, Aikido described running 10 trials over two days, creating and deleting API keys while sending 3-5 authenticated requests per second, to measure the revocation window.
What they found was rather inconsistent: the longest window was 23 minutes, while the shortest one was 8 minutes.
The team also said success rates were highly unpredictable, as one trial saw 79% of requests succeed a minute after deletion, while another only 5%. The issue gets even worse for projects where Gemini is enabled, Aikido further stressed. Threat actors can dump uploaded files and exfiltrate cached conversations using the “deleted” key with relative ease.
The report slammed Google for misleading user interface, which tells users who deleted their keys “Once deleted, it can no longer be used to make API requests.”
“That statement is demonstrably false,” Aikido said. “The user has no way to know whether the key is still live, no way to speed up revocation, and no way to confirm when it has fully stopped working.”
Google responded to Aikido’s disclosure by closing the report and saying it wouldn’t fix it. “The team’s position, as we understand it, is that propagation delay is a known property of the system and not a security issue,” the report says.
There might not be a fix or a workaround, but Aikido does discuss a mitigation. Key deletion should be treated as a 30-minute operation, and during that window users should monitor “Enabled APIs and services” in GCP console for unexpected usage from the deleted credential.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
Source link
#Experts #find #Google #API #keys #usable #delete
