Data Security, Identity, API security, AI/ML

Google API keys for Gemini AI pose security risk

Google Cloud sign is displayed at Google campus in Silicon Valley - Sunnyvale, California, USA - November, 2019

As reported by Bleeping Computer, Google API keys, previously considered safe when embedded in client-side code for services like Maps, are now posing a significant security risk due to their authentication capabilities with the Gemini AI assistant. Researchers discovered nearly 3,000 exposed keys across various organizations, including Google itself.

The issue arises because Google Cloud API keys, once used solely for extending functionality like embedding maps or tracking usage, now also authenticate users to the Gemini AI assistant. Researchers at Truffle Security found over 2,800 live Google API keys publicly exposed in internet pages, primarily in JavaScript code. Attackers can copy these keys from a website's source code and use them to access private data via the Gemini API. This could lead to substantial financial charges, as threat actors could potentially generate thousands of dollars in daily costs per victim account by maximizing API calls.

Google has stated it is aware of the issue and has implemented measures to detect and block leaked keys accessing the Gemini API, including defaulting new keys to a Gemini-only scope and notifying users of detected leaks. Developers are urged to audit their API keys and rotate any that may be publicly exposed.

Source: Bleeping Computer

You can skip this ad in 5 seconds