""We scanned millions of websites and found nearly 3,000 Google API keys that now also authenticate to Gemini even though they were never intended for it. With a valid key, an attacker can access uploaded files, cached data, and charge LLM-usage to your account," Truffle said in February."
""Because Android applications can be easily unpacked and inspected, extracting these keys requires minimal technical skill, and automated scraping at scale is entirely feasible. What used to be low-risk visibility has quietly turned into a meaningful attack surface," Quokka said."
""The Google API keys, all using the 'AIza...' format, can be abused for retroactive privilege escalation: a key that a developer creates and embeds in their application provides access to all Gemini endpoints when the AI is enabled on the project.""
Threat actors can extract Google API keys from Android applications, allowing unauthorized access to Gemini AI endpoints. Research indicates that these keys, originally intended for public services, can authenticate to Gemini, exposing personal data. Truffle Security found nearly 3,000 keys that authenticate to Gemini, while Quokka discovered over 35,000 unique keys in 250,000 apps. CloudSEK identified 32 keys in 22 popular apps, potentially affecting over 500 million users. This situation creates a significant attack surface, as extracting keys requires minimal skill and can lead to privilege escalation.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]