YT · YOUTUBE// 41d agoNEWS

Public Google keys quietly became Gemini credentials.

A security disclosure found that legacy public `AIza...` keys can gain Gemini API access once the Generative Language API is enabled, exposing private files/cached data and enabling costly abuse. Google says it has started blocking leaked keys, moving new AI Studio keys toward Gemini-only scope, and adding proactive leak notifications.

// ANALYSIS

This is less a one-off bug and more a platform trust break: old “safe to expose” key assumptions no longer hold once AI endpoints are added.

–Truffle Security reported 2,863 live exposed keys from Common Crawl that could authenticate to Gemini endpoints after API enablement.
–The risk is both data exposure and cost blowups, since attackers can run billable Gemini calls without touching victim infrastructure.
–Google’s troubleshooting docs now explicitly acknowledge the vulnerability and provide recovery steps for blocked/leaked keys.
–Follow-up reporting also points to mobile blast radius, with Quokka claiming 35,000 unique Google keys found across 250,000 scanned apps.

// TAGS

gemini-apiapillmcloudsafetypricing

DISCOVERED

41d ago

2026-03-02

PUBLISHED

41d ago

2026-03-02

RELEVANCE

9/ 10

AUTHOR

manual