Security researchers discover 23-minute vulnerability window in Google API key revocation

Summary

Security researchers at Aikido have disclosed a significant vulnerability in Google's API key revocation system, finding that deleted API keys can remain functional for up to 23 minutes as the revocation propagates unevenly across Google's infrastructure. During this window, attackers with access to a leaked key can extract sensitive files from Google Gemini projects, exfiltrate cached conversations, and rack up unauthorized charges before victims realize their credential is still active. The vulnerability is particularly dangerous in combination with Google's automatic billing tier upgrades, which can escalate charges from $250 to $100,000 for long-standing accounts when usage spikes unexpectedly. In Aikido's testing, the window averaged 16 minutes and stretched to 23 minutes at worst, with an unpredictable success rate for malicious requests—some periods showed over 90% authentication while others dropped below 1%.

• Success rate for malicious API requests varies wildly during the vulnerability window, making it impossible for developers to know when their account is truly protected

Editorial Opinion

This research exposes a troubling mismatch between what developers expect when they delete an API key and what actually happens in Google's infrastructure. The 23-minute vulnerability window is concerning enough, but combined with automatic billing tier escalation that can increase limits from $250 to $100,000, it creates an asymmetric risk scenario that heavily favors attackers during credential compromises. Google must prioritize consistent, immediate revocation propagation across all systems and reconsider billing policies that automatically increase limits without explicit developer consent.