All Topics
All Topics
Technology
Technology
Design
Design
Programming
Programming
Science
Science
News
News
Gaming
Gaming
Entertainment
Entertainment
Business
Business
Finance
Finance
Sports
Sports
Health
Health
Food
Food
Travel
Travel
Art
Art
Music
Music
Books
Books
Education
Education
Politics
Politics
Personal
Personal
No algorithm. No AI slop. No ads. Just RSS. Pro-human. Indie writers. Real journalism. Open web. Chronological. Hand toasted.

Google API Keys Security Risk: Public Keys Now Grant Unauthorized Access to Gemini

By

hiisthisthingon

3mo ago· 9 min readenInsight
Bagel score 100 of 100
100/100
Golden Brown
Bagelometer

The bagel they save for the regulars. Don't skim, savour.

Score100TypeanalysisSentimentnegative

Summary

Google's long-standing policy that API keys for services like Maps and Firebase were not secrets has changed with the introduction of Gemini. Researchers found that thousands of publicly exposed Google API keys, originally intended for public services, can now be used to access Gemini and potentially compromise private data, upload files, and incur charges on the account holder. The article reveals a significant security vulnerability where old public API keys can be repurposed for unauthorized access to Gemini's capabilities.

Key quotes

· 4 pulled
Google spent over a decade telling developers that Google API keys (like those used in Maps, Firebase, etc.) are not secrets. But that's no longer true: Gemini accepts the same keys to access your private data.
We scanned millions of websites and found nearly 3,000 Google API keys, originally deployed for public services like Google Maps, that now also authenticate to Gemini even though they were never intended for it.
With a valid key, an attacker can access uploaded files, cached data, and charge LLM-usage to your account.
Even Google themselves had old public API keys, which they thought were safe for public use.
Snippet from the RSS feed
Google spent over a decade telling developers that Google API keys (like those used in Maps, Firebase, etc.) are not secrets. But that's no longer true.

You might also wanna read

Google's Gemini AI Gains Personal Data Access Feature, But Still Has Fundamental Limitations

Google's Gemini AI chatbot has introduced a new 'Personal Intelligence' feature that allows it to access users' personal data from Google se

The Verge·4mo ago

Security Researchers Discover ChatGPT Vulnerability That Could Extract Sensitive Gmail Data

Security researchers from Radware discovered a vulnerability called 'Shadow Leak' that allowed ChatGPT to be manipulated into extracting sen

The Verge·8mo ago

Google Gemini's Deep Research Feature Now Integrates Personal Data from Gmail, Drive, and Chat

Google has introduced a new 'Deep Research' feature for its Gemini AI that can access users' personal data from Gmail, Drive, and Chat to cr

The Verge·6mo ago

Google Launches Gemini 3 AI Model with Enhanced Coding and Visualization Capabilities

Google is launching Gemini 3, its latest and most advanced AI model series, positioning it as the company's 'most intelligent' and 'factuall

The Verge·6mo ago

Google Expands Personal Intelligence AI Feature to All US Users

Google has expanded access to its Personal Intelligence AI feature to all users in the United States, removing the previous limitation to pa

The Verge·2mo ago

Google Clarifies Gemini AI Usage Limits with Specific Daily Prompt Allowances

Google has finally clarified the usage limits for its Gemini AI service, providing specific daily prompt allowances: 5 prompts for free acco

The Verge·8mo ago