AICRIER_2
OPEN FEED
YOU ARE VIEWING ONE ITEM FROM THE AICRIER FEED

Deleted Google API keys authenticate for 23 minutes

AICrier tracks AI developer news across Product Hunt, GitHub, Hacker News, YouTube, X, arXiv, and more. This page keeps the article you opened front and center while giving you a path into the live feed.

EXPLORE LATEST FEEDSEE FEATURED PICKS

// WHAT AICRIER DOES

7+

TRACKED FEEDS

24/7

SCRAPED FEED

Short summaries, external links, screenshots, relevance scoring, tags, and featured picks for AI builders.

Deleted Google API keys authenticate for 23 minutes
OPEN LINK ↗
// 1h agoSECURITY INCIDENT

Deleted Google API keys authenticate for 23 minutes

ANNOUNCEMENTPRODUCTX

Deleting a Google Cloud API key does not immediately revoke access, leaving a 23-minute window where attackers can still authenticate. Google closed the bug report as "won't fix", citing propagation delay as a known system property.

// ANALYSIS

Authentication should never be eventually consistent, and a 23-minute revocation window for critical APIs is a dangerous architectural compromise.

  • Stolen keys can still be exploited to dump uploaded files or exfiltrate cached conversations after deletion
  • Revocation propagates unevenly across Google's infrastructure, with access decaying unpredictably rather than cutting off
  • The GCP console "Traffic by Credential" graph lumps all deleted key traffic into a confusing `apikey:UNKNOWN` bucket, hindering incident response
  • Google Service Account keys and new Gemini API keys revoke in under a minute, highlighting that this is a specific flaw in standard API keys
  • Google considers this a known system property rather than a security bug, leaving developers responsible for the exposure window
// TAGS
google-cloudgeminisecurityapicloud

DISCOVERED

1h ago

2026-05-21

PUBLISHED

1h ago

2026-05-21

RELEVANCE

8/ 10

AUTHOR

AikidoSecurity