When Gemini users delete Google API keys, those keys remain active for up to 23 minutes, giving attackers time to abuse them to dump data, cache conversations, and make API calls. Google “won’t fix” the “known property of the system” and doesn’t see it as a security issue, Aikido Security researchers said.
Following reports of abuses of stolen or exposed Google API keys, Aikido Security researchers tested how long they remain active after deletion. The answer is too long.
Instead of an immediate deletion, revocation propagates gradually across Google's servers – some reject the key within seconds, but others keep accepting it for longer.
Twenty-three minutes was the longest revocation window observed across the 10 trials over two days. However, the median time was still around 16 minutes, while the shortest time was nearly 8 minutes.
“Even a few seconds of delay matters,” Aikido researchers warn in a new report about Google API keys working after deletion.
“Long consistency windows are not compatible with authentication. The expectation when you delete a credential is that the credential is dead.”
Previously, a 4-second delay in credential revocation enabled exploitation of deleted AWS access keys to create new credentials.
Meanwhile, Google Cloud users are suffering from ongoing compromised API key abuse attacks that rack up massive bills without developers’ knowledge. One second is enough time for attackers to send hundreds of requests to Gemini.
“An attacker holding your deleted key can keep sending requests until one reaches a server that has not caught up. If Gemini is enabled on the project, they can dump files you have uploaded and exfiltrate cached conversations,” the researchers at Aikido warn.
“Every extra second gives attackers more time to misuse a stolen key.”
Check if your data has been leaked
While the researchers tested keys with access to Gemini, they also observed the same behavior with other keys, scoped to other Google Cloud Platform APIs, such as BigQuery and Maps.
However, New Gemini API keys with AQ. prefixes are revoked much faster after deletion in around a minute, and Google Service Account keys in around 5 seconds.
Google “won’t fix” it
The researchers reported the issue to Google, but the tech giant closed the report as “won’t fix.”
“The team's position, as we understand it, is that propagation delay is a known property of the system and not a security issue,” the report reads.
Aikido holds the opinion that long revocation windows are fundamentally at odds with users' expectations of what should happen when they click the delete button.
Google Cloud even alerts users that “Once deleted, it (the key) can no longer be used to make API requests,” a statement that was disproved by the report.
Therefore, the security researchers recommend treating key deletion as a 30-minute procedure rather than an instant one – assume that the key may still be used after deletion. If attackers are abusing the key, the victims can only helplessly watch it until the key is finally revoked.
The report calls on Google to change its faulty design choice.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked