"With a valid key, an attacker can access uploaded files, cached data, and charge LLM-usage to your account. The keys now also authenticate to Gemini even though they were never intended for it. The problem occurs when users enable the Gemini API on a Google Cloud project, causing existing API keys to gain surreptitious access to Gemini endpoints without any warning or notice."
"The result: thousands of API keys that were deployed as benign billing tokens are now live Gemini credentials sitting on the public internet. In all, the company said it found 2,863 live keys accessible on the public internet, including a website associated with Google. This effectively allows any attacker who scrapes websites to get hold of such API keys and use them for nefarious purposes and quota theft."
"Creating a new API key in Google Cloud defaults to "Unrestricted," meaning it's applicable for every enabled API in the project, including Gemini. The disclosure comes as Quokka published a similar report, finding over 35,000 unique Google API keys embedded in its scan of 250,000 Android apps."
Truffle Security discovered a critical vulnerability where Google Cloud API keys, typically used for project identification and billing, can be abused to authenticate to sensitive Gemini endpoints. Nearly 3,000 API keys with the "AIza" prefix were found embedded in client-side website code. When users enable the Gemini API on a Google Cloud project, existing API keys automatically gain access to Gemini endpoints without warning, allowing attackers to access uploaded files, cached data, and charge LLM usage to victim accounts. The problem is compounded by Google Cloud's default setting of "Unrestricted" for new API keys, making them applicable to all enabled APIs. Truffle Security identified 2,863 live keys publicly accessible, including one associated with Google itself.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]