Back

Google API Keys Vulnerability Allows 23-Minute Access Post-Deletion

Severity: High (Score: 64.5)

Sources: www.offensai.com, Theregister, Darkreading, www.aikido.dev

Published: 2026-05-21 · Updated: 2026-05-21

Keywords: google, keys, deletion, minutes, after, your, still

Summary

Security researchers from Aikido discovered that Google API keys remain usable for up to 23 minutes after deletion, contrary to Google's claim of immediate revocation. This vulnerability allows attackers to exploit deleted keys during the revocation window, potentially accessing sensitive data and incurring significant costs. The researchers conducted 10 trials over two days, finding a median revocation window of approximately 16 minutes. The inconsistency in revocation times across different Google Cloud Platform (GCP) regions complicates the issue, as some servers may still accept requests from deleted keys. This delay poses a critical risk, especially for organizations using services like Gemini, where attackers could exfiltrate sensitive files. Google has not acknowledged the issue as a critical vulnerability, closing the report as “won’t fix.” The findings highlight the need for better credential management practices and more transparent revocation processes. Key Points: • Google API keys can be used for up to 23 minutes after deletion, creating a significant security risk. • The median revocation window observed was around 16 minutes, with varying success rates based on server regions. • Attackers can exploit this delay to access sensitive data and incur unexpected charges on user accounts.

Detailed Analysis

**Impact** Google Cloud Platform (GCP) users globally are affected by a vulnerability where deleted API keys remain active for up to 23 minutes, allowing attackers to continue accessing services and data. This exposure risks unauthorized data exfiltration, including files uploaded to Gemini and cached conversation contexts. Financial damage has been reported, with victims incurring five-figure charges due to abuse of billing tier upgrades triggered by malicious usage spikes. The issue impacts sectors relying on GCP APIs, particularly those using Gemini services. **Technical Details** The vulnerability arises from Google's eventual consistency model, causing delayed revocation propagation across authentication servers worldwide. Attackers with stolen API keys can send repeated requests until they reach servers that have not processed the deletion, maintaining access unpredictably for 8 to 23 minutes. No CVEs or malware are mentioned; the attack vector is unauthorized API key reuse post-deletion. The kill chain stage involved is credential access and exploitation. No specific IOCs are provided. **Recommended Response** Defenders should monitor API key usage closely after deletion, assuming keys remain valid for up to 23 minutes. Incident response teams must adjust their procedures to account for delayed revocation and consider rotating keys proactively rather than relying solely on deletion. Google has not issued a fix, so organizations should implement additional controls such as network-level restrictions, usage quotas, and anomaly detection on API calls. Monitoring for unusual billing spikes and unauthorized data access is critical.

Source articles (4)

  • Google API Keys Remain Active After Deletion — Darkreading · 2026-05-21
    A security researcher discovered the API keys can still be used for 23 minutes after deletion, even though the cloud provider claims deletion is immediate. Google API keys aren't completely inactive a…
  • Aws Iam Eventual Consistency Persistence — www.offensai.com · 2026-05-21
    Deleted your compromised AWS access keys? Because of AWS IAM eventual consistency, they might still work. OFFENSAI 's research reveals how AWS IAM eventual consistency creates a persistence window att…
  • Google Api Keys Deletion — www.aikido.dev · 2026-05-21
    tl;dr When you delete a Google API key, it says it’s immediately deleted. Our testing says ~23 minutes. During that window, an attacker with a leaked key keeps access to your data and enabled APIs (in…
  • Threat hunters find Google API keys still usable 23 minutes after deletion — Theregister · 2026-05-21
    You know your Google API key has leaked so you rush to disable it before bad actors can start running up charges on your account. Bad news: According to security researchers at Aikido, people can use…

Timeline

  • 2026-05-21 — Aikido publishes research on Google API key revocation: Research reveals that Google API keys remain active for up to 23 minutes post-deletion, allowing potential exploitation.
  • 2026-05-21 — Dark Reading reports on Aikido's findings: Dark Reading highlights the implications of the revocation delay for organizations using Google Cloud services.
  • 2026-05-21 — The Register covers the vulnerability: The Register discusses the potential financial impact of the delayed revocation on users and references similar issues with AWS keys.

Related entities

  • Data Breach (Attack Type)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • CWE-287 - Improper Authentication (Cwe)
  • keys.in (Domain)
  • procedure.is (Domain)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1078 - Valid Accounts (Mitre Attack)
  • T1567 - Exfiltration Over Web Service (Mitre Attack)
  • AWS (Company)
  • Google Cloud Platform (Company)
  • BigQuery (Platform)
  • Google Maps (Platform)
  • Maps (Platform)
  • Gemini (Tool)
  • Google Cloud (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed