Google Cloud Keys Enable Unauthorized Gemini Access

Truffle Security found nearly 2,863 Google Cloud API keys publicly exposed, which can access Gemini endpoints after projects enable the Generative Language API. Researchers say exposed website keys and Quokka's scan of 250,000 Android apps (35,000 unique keys) can be abused to read files, leak cached content, and generate billable Gemini requests; Google implemented detection and blocking mitigations.
Key Points
- 1Identify nearly 2,863 active Google Cloud API keys publicly exposed enabling Gemini access
- 2Explain that Generative Language API enables inherited permissions expanding unintended access and billing risks
- 3Advise developers to restrict keys, monitor usage, rotate credentials, and apply API-specific restrictions
Scoring Rationale
High practical impact and official confirmation, but limited novelty as it stems from misconfiguration and known API key risks.
Sources
Public references used for this report.
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems

