Google API Keys Stay Active 23 Minutes After Deletion

Google API Keys Persist After Deletion, Raising Security Concerns

According to recent reports, a newly identified flaw in Google Cloud's API key management system allows deleted credentials to remain active for up to 23 minutes. This delay in invalidation could expose projects to unauthorized access and potential abuse, particularly for sensitive services like Gemini, BigQuery, and Google Maps APIs.

The Discovery

Security researchers at Aikido uncovered the issue, highlighting that even after an API key is revoked or deleted, it continues to function for a significant window. This persistence undermines the immediate security response expected when credentials are compromised or no longer needed.

Implications for Cloud Services

The delayed revocation affects a range of Google Cloud services, including:

Gemini: Google's AI model API
BigQuery: Data analytics platform
Google Maps APIs: Location and mapping services

Attackers who gain access to a deleted key could still leverage it to query these services, potentially leading to data breaches, financial costs, or service abuse.

Recommendations for Users

To mitigate risks, organizations should:

Regularly rotate API keys and monitor usage logs for anomalies.
Implement additional authentication layers, such as OAuth 2.0, where possible.
Consider using service accounts with short-lived tokens instead of long-lived API keys.

Google has been notified of the issue, and users are advised to stay updated on any patches or changes to key invalidation policies.