AI is changing the world. Don't stay behind. Clear summaries, community insight, delivered without the noise. Subscribe to never miss a beat.

Privacy

Contact

Back to all news

google api-keys developer-tools gemini

Google API keys weren't secrets, but then Gemini changed the rules

trufflesecurity.com

February 25, 2026

18 min read

🔥🔥🔥🔥🔥

78/100

Summary

Google API keys, previously considered non-sensitive, can now be used by Gemini to access private user data. A scan of millions of websites revealed nearly 3,000 Google API keys that were originally deployed for public services.

Key Takeaways

Google API keys, previously considered safe for public use, can now access sensitive Gemini endpoints, allowing attackers to exploit them for unauthorized access to private data.
Nearly 3,000 Google API keys, originally deployed for public services, were found to authenticate to Gemini without any notification to developers.
The default setting for new API keys in Google Cloud is "Unrestricted," granting immediate access to all enabled APIs, including sensitive ones like Gemini.
Google retroactively expanded the privileges of existing API keys without warning, leading to potential security vulnerabilities for developers who followed previous guidelines.

Read original article

Community Sentiment

Negative

Concerns

Google's failure to standardize tests or specifications for API key security highlights a significant oversight, raising concerns about their commitment to user safety.
The retroactive privilege expansion of API keys without user notification poses serious risks, allowing unauthorized access to sensitive data and potentially leading to unexpected costs.
Allowing older, public keys to access the Gemini API without adequate safeguards demonstrates a lack of foresight in API security management, which could undermine trust in their services.