Deleted Google API keys can remain active and authenticate successfully for up to 23 minutes after removal, according to a new study by Aikido Security. The cybersecurity firm conducted 10 controlled trials over two days to measure this delay, revealing a significant window of vulnerability for Google Cloud Platform users, as reported by HackRead.API keys are crucial for authenticating requests between software applications. While the Google Cloud Platform console indicates immediate deletion, researchers found that keys take an average of 16 minutes to become fully inactive, with the longest observed delay reaching 23 minutes. During this period, threat actors possessing a leaked key can access enabled APIs, potentially exfiltrating cached conversations, dumping files from Gemini, and accessing BigQuery or Maps data. This vulnerability stems from eventual consistency in Google's authentication infrastructure, where updates propagate gradually across global servers. Unlike AWS, which had a 4-second revocation window for a similar issue, Google's delay presents a larger risk, according to researchers.Incident response is further complicated as post-deletion authentication attempts are bundled into an "apikey:UNKNOWN" category. While Google has faster revocation for other key types, they have classified this API key deletion delay as a known property, not a security flaw, advising users to treat deletion as a 30-minute operation.Source: HackRead
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds