A critical security vulnerability has been discovered where deleted Google API keys remain active for up to 23 minutes, allowing potential attackers continued access to sensitive data and services including Gemini. Despite Google initially closing the report as 'won't fix', they have since reclassified it as a P0 priority bug. This delay in key revocation creates a significant security risk as attackers can exploit the window before the deletion propagates across Google's infrastructure.
Background
API keys are used to authenticate and authorize access to cloud services and data, and their immediate revocation is crucial for security. Google's infrastructure uses eventual consistency, which can cause delays in propagating authentication changes across its global network.
- Source
- Lobsters
- Published
- May 22, 2026 at 12:13 PM
- Score
- 8.0 / 10