Google API keys weren't secrets, but then Gemini changed the rules (trufflesecurity.com)

Google's recent changes to its API key management have raised significant security concerns for developers. For over a decade, Google has assured developers that API keys, such as those used in services like Maps and Firebase, were not sensitive and could be safely embedded in client-side code. However, with the introduction of the Gemini API, these same keys now provide access to sensitive private data. Scans have identified nearly 3,000 exposed keys capable of accessing Gemini, enabling potential attackers to retrieve private files and cache content while incurring hefty charges on user accounts. The implications of this shift are profound for the AI/ML community, highlighting alarming vulnerabilities tied to retroactive privilege escalation and insecure defaults. The configuration allows API keys created for benign services to gain unauthorized access to Gemini features without notification. This design flaw not only affects individual developers but also raises alarms for major corporations, including Google itself. Moving forward, Google has begun implementing measures to mitigate these risks, such as scoping new keys for Gemini-only access and enhancing credential leakage detection, but the onus remains on developers to audit their existing keys and ensure they’re not inadvertently exposing sensitive data.