A new study conducted by the cybersecurity firm Aikido Security reveals that deleted Google API keys stay active and can continue authenticating successfully for up to 23 minutes after they are removed. The results were obtained after running 10 controlled trials over two days to measure the delay.
An API key is a string of data used to authenticate requests between software applications. According to researchers, the Google Cloud Platform (GCP) console shows the key as deleted immediately. However, tests showed that the keys actually take an average of 16 minutes to stop working completely, with the longest delay lasting nearly 23 minutes.
During this timeframe, threat actors holding a leaked key retain full access to any enabled APIs on the project. This allows them to exfiltrate cached conversations and dump files uploaded to Gemini. They can also access BigQuery data and Maps APIs.
In the blog post, which was published today and shared exclusively with Hackread.com, researchers explained that this issue happens because of eventual consistency in Google’s authentication infrastructure. In this distributed systems model, updates propagate gradually across global servers rather than all at once.
This means when you delete a key, the message does not reach every Google server around the world immediately, giving hackers a temporary gap to use the key on servers that haven’t updated yet. This identical class of infrastructure issue was demonstrated on AWS last year by researcher Eduard Agavriloae, though the AWS revocation window was only 4 seconds.
The attack method relies on the hacker sending continuous authenticated requests to rotate through Google’s global authentication servers before they sync. Testing across different GCP regions revealed diverse regional variations. In the first minute after deletion, virtual machines in the asia-southeast1 region saw a median success rate of 22%, while us-east1 and europe-west1 both allowed 49% of requests to succeed.
For incident response teams, tracking the timeline of events during an attack is complicated by the GCP “Traffic by Credential” graph. When a key gets deleted, any further authentication attempts by an attacker are bundled into a generic category labelled apikey:UNKNOWN. This makes it difficult to pinpoint which specific credential an attacker is trying to misuse.
Researchers noted that Google has already solved faster propagation for other credential types. For example, Google Service Account keys revoke in roughly 5 seconds, while newer Gemini-format keys (which use an AQ. prefix) take about 1 minute.
Aikido Security reported these findings to Google, but the company closed the report as “won’t fix,” stating that propagation delay is a known property of the system and not a security flaw. Consequently, researchers advise treating Google API key deletion as a 30-minute operation and monitoring the GCP console for valid authentications within that window.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。