Time to Check Up on Old Google API Keys: New Gemini AI Exploit Could Cause Major Financial Damage

People have long been told that Google API keys for services such as Maps and YouTube are not high security items, the implication being that it’s really no big deal if they’re exposed to the web in code somewhere. A new Gemini AI vulnerability reported by Truffle Security has changed that dynamic rather suddenly. It’s now high time to take inventory of any potentially exposed keys, as a threat actor can rather trivially copy them to run up your Gemini bill or even potentially access private data.

Gemini AI users could wake up to a surprise bill

An average amount for a small business or startup to spend on Gemini AI queries is probably somewhere in the very low hundreds of dollars per month. This exploit has the potential to drive that bill up into the thousands of dollars in the space of just a day, should an abuser be particularly nasty about it. It also has the potential to expose private data being stored with Gemini, with the attacker potentially just needing to ask the AI to give it up to gain access.

As “agentic AI” takes hold, many are rushing in without proper security awareness or hygiene in place. The Gemini AI bug is just one of many examples of this as of late. Though in this case, it is hard to fault individuals; a lot of old Google API keys were quietly given Gemini authorization access without much of an announcement or general awareness. Regardless, it is now important to ensure that these keys are not hanging about visible to the open internet in web page source code, Github repositories or app code.

The other sticky part of this issue is that Google has not fully remediated it yet. Likely the quickest fix for those potentially impacted will be to go to Google Cloud Platform and check to see if any listed Google API keys have “Generative Language API” enabled or an “unrestricted” warning icon. If these keys also have Gemini AI access, anyone who finds them in public can start racking up a tab with them.

Old Google API keys suddenly flipping from benign to vulnerable provides a lesson

Most of the impacted Google API keys were put into place years ago (and prior to Gemini AI), when they were not at all the same sort of risk. Scans by security researchers have since found thousands of these exposed keys in webpage and app code that anyone can view.

The other piece of bad news is that Google does not have a complete remediation solution available to this, at least as of yet. Right now it is incumbent upon organizations to track down their own exposed keys and rotate them as soon as possible. Google is taking some action by blocking known leaked API keys and sending out notifications to owners when they discover exposed keys, but one should not rely on them to fix the problem in the background.

In addition to checking in with Google Cloud Platform, Gemini AI users should also take stock of what is available in the relevant  /files/ and /cachedContents/ endpoints. An attacker with a key could simply ask Gemini to hand over anything stored in these areas.

The incident also illustrates agentic AI’s potential to turn formerly benign and overlooked functions into attack surfaces. But in this case, the solutions are things that organizations should ideally already be doing: not embedding secrets or access tokens into source code, keeping inventories of and visibility into all APIs in use, and ensuring that findings that can provide early detection are prioritized and actually visible in time to be actionable.