Unrestricted Firebase Keys Trigger Gemini Billing Abuse

// 57d agoSECURITY INCIDENT

Unrestricted Firebase Keys Trigger Gemini Billing Abuse

A Firebase project owner reported an overnight €54,000+ Gemini API billing spike after enabling Firebase AI Logic on an existing project, with traffic that appeared automated rather than user-driven. Google said it is moving to disable unrestricted API keys for Gemini, add spend caps and more secure default auth keys, and recommends server-side calls plus key restrictions.

// ANALYSIS

Hot take: this is less a one-off billing bug than a bad-default security model colliding with AI usage economics.

–A Google API key that used to be “safe to expose” can become a Gemini credential once the API is enabled on the project.
–The reported damage window was short, and alerting lag meant the spend cap/budget alarms arrived after major charges had already accumulated.
–Google’s response suggests the platform is already changing: unrestricted keys are being phased out, spend caps exist, and leaked-key blocking is being expanded.
–The practical takeaway for developers is blunt: treat any client-side Google key as sensitive if Gemini is enabled anywhere in that project.

// TAGS

geminifirebasegoogle-cloudapi-keysbillingsecurityllmai-studio

DISCOVERED

57d ago

2026-04-16

PUBLISHED

57d ago

2026-04-16

RELEVANCE

10/ 10

AUTHOR

zanbezi

// KEEP READING

More AI developer news from the feed

EXPLORE FULL FEED

OPEN SOURCE1h ago

Qdrant is a production-ready, open-source vector search engine and database built in Rust for high-performance similarity search.

Qdrant is an open-source, high-performance vector search engine and database written in Rust. It is designed to store, manage, and search high-dimensional vectors with extended filtering support, making it well-suited for AI, machine learning, recommendation systems, and Retrieval-Augmented Generation (RAG) applications. Qdrant features a RESTful API and offers official client libraries for multiple programming languages including Python, Go, and TypeScript.

INFRA1h ago

The developer behind Crabbox is increasingly relying on Codex to automate the overwhelming volume of issues and pull requests.

The maintainer of Crabbox, an open-source project by OpenClaw, has integrated Codex directly into the build process to help manage a flood of community contributions. Codex has been running continuously inside Crabbox for the past four days, becoming an essential piece of infrastructure for testing and landing PRs.

UPDATE1h ago

Small Harness offers a lightweight framework for running local LLMs, with plans to introduce hybrid frontier-local orchestration optimized by VulcanBench.

Small Harness is a fast, transparent, open-source terminal harness designed to run local Large Language Models (LLMs) on local hardware. The creator, Morgan Linton, announced that the project will soon support hybrid workflows that connect frontier models for planning with local models for execution. Additionally, a tool called VulcanBench will be integrated to optimize when each model tier is utilized.