Developer Faces €54,000 Gemini API Bill After Firebase Browser Key Exposed to Unauthorized Requests

Summary

A developer reported an unexpected €54,000+ billing spike within 13 hours of enabling Firebase AI Logic on their Firebase project, traced to unauthorized Gemini API requests originating from an unrestricted Firebase browser key. The anomalous traffic appeared automated and was not correlated with legitimate user activity, yet Google Cloud support classified the charges as valid usage and denied a billing adjustment request. The incident highlights a critical security gap where Firebase browser keys lack built-in API restrictions by default, leaving developers vulnerable to unauthorized API consumption if credentials are exposed. Despite triggering budget and cost anomaly alerts, the delayed reporting meant the developer had already incurred €28,000 in charges before taking action to disable the API and rotate credentials.

• Current safeguards (App Check, quotas, server-side calls) may be insufficient without stricter default API key restrictions and real-time rate limiting

Editorial Opinion

This incident exposes a serious design vulnerability in Google's Firebase and Gemini API integration. While Firebase AI Logic lowers the barrier to entry for developers integrating AI features, the default lack of API key restrictions on browser-exposed credentials creates an unacceptable security risk. The fact that Google Cloud denied a billing adjustment despite clearly anomalous usage patterns suggests the company should reconsider its billing dispute policies for security-related incidents—developers should not bear the full financial burden of infrastructure vulnerabilities they didn't create.