€54k spike in 13h from unrestricted Firebase browser key accessing Gemini APIs (discuss.ai.google.dev)

A recent incident involving an unexpected €54,000 spike in charges from the Gemini API highlights potential vulnerabilities in using Firebase AI Logic. After implementing a new AI feature in an existing Firebase project, the developers noticed an alarming surge in automated API calls that was not correlated with actual user activity. Despite efforts to disable the API and rotate credentials quickly, costs mounted to €28,000 before the developers received alerts—ones that were delayed in notifying them—ultimately leading to a final bill exceeding €54,000. Google's support classified these charges as valid usage since they originated from the project's credentials. This situation underscores significant concerns in the AI/ML community regarding security and attribution of API calls, particularly as developers increasingly integrate advanced AI functionalities. There is an urgent need for enhanced safeguards, beyond existing measures like App Check and server-side calls, to prevent unauthorized or unintended API usage that can lead to substantial costs. The developers are now seeking insights from the community on whether others have encountered similar issues and what strategies can be adopted to mitigate such risks in the future.