AICRIER_2
OPEN FEED
YOU ARE VIEWING ONE ITEM FROM THE AICRIER FEED

Public Google keys quietly became Gemini credentials.

AICrier tracks AI developer news across Product Hunt, GitHub, Hacker News, YouTube, X, arXiv, and more. This page keeps the article you opened front and center while giving you a path into the live feed.

EXPLORE LATEST FEEDSEE FEATURED PICKS

// WHAT AICRIER DOES

7+

TRACKED FEEDS

24/7

SCRAPED FEED

Short summaries, external links, screenshots, relevance scoring, tags, and featured picks for AI builders.

Public Google keys quietly became Gemini credentials.
OPEN LINK ↗
// 87d agoNEWS

Public Google keys quietly became Gemini credentials.

ANNOUNCEMENTPRODUCTPRODUCT HUNT

A security disclosure found that legacy public `AIza...` keys can gain Gemini API access once the Generative Language API is enabled, exposing private files/cached data and enabling costly abuse. Google says it has started blocking leaked keys, moving new AI Studio keys toward Gemini-only scope, and adding proactive leak notifications.

// ANALYSIS

This is less a one-off bug and more a platform trust break: old “safe to expose” key assumptions no longer hold once AI endpoints are added.

  • Truffle Security reported 2,863 live exposed keys from Common Crawl that could authenticate to Gemini endpoints after API enablement.
  • The risk is both data exposure and cost blowups, since attackers can run billable Gemini calls without touching victim infrastructure.
  • Google’s troubleshooting docs now explicitly acknowledge the vulnerability and provide recovery steps for blocked/leaked keys.
  • Follow-up reporting also points to mobile blast radius, with Quokka claiming 35,000 unique Google keys found across 250,000 scanned apps.
// TAGS
gemini-apiapillmcloudsafetypricing

DISCOVERED

87d ago

2026-03-02

PUBLISHED

87d ago

2026-03-02

RELEVANCE

9/ 10

AUTHOR

manual