Deleted Google API Keys Still Access Gemini, BigQuery,

Google Cloud API keys, even after deletion, can remain active for up to 23 minutes, a newly disclosed issue reveals. This vulnerability exposes projects to potential abuse long after credentials have been revoked.

The finding raises concerns about delayed credential invalidation across Google’s infrastructure, particularly for sensitive services such as Gemini, BigQuery, and Google Maps APIs. According to Aikido research, deleting a Google API key does not immediately terminate its access.

Instead, revocation propagates gradually across distributed systems, creating a “revocation window” during which the key continues to authenticate requests.

• Longest observed window: ~23 minutes.
• Shortest observed window: ~8 minutes.
• Median duration: ~16 minutes.

Attackers with leaked keys can continue making API calls during this period because some backend servers may still accept deleted keys, causing inconsistent enforcement.

Deleted Google API Keys Continue Access

The issue becomes more severe when high-value services are enabled. If a compromised key has access to Google’s Gemini API, attackers may:

• Retrieve previously uploaded files.
• Access cached conversations.
• Continue interacting with AI endpoints.

Similar behavior was observed across other services, including the BigQuery and Maps APIs, indicating that the delay is tied to API key infrastructure rather than individual services.

Researchers conducted controlled experiments over multiple days:

• Created and deleted API keys in repeated trials.
• Sent 3–5 authenticated requests per second post-deletion.
• Measured how long requests continued to succeed.

Results showed unpredictable success rates. For example, one minute after deletion, some trials still saw up to 79% of requests succeed, while others dropped to as low as 5%.

This inconsistency makes it difficult to determine when a key is truly invalid. Tests across multiple Google Cloud regions revealed uneven propagation:

• us-east1: ~49% median success rate.
• Europe-west1: ~49% median success rate.
• asia-southeast1: ~22% median success rate.

Interestingly, some distant regions rejected deleted keys faster than closer ones, suggesting that routing, caching, or infrastructure differences influence revocation timing.

The Google Cloud Console does not clearly indicate that a deleted key is still active. Instead:

• Deleted keys disappear from the interface immediately.
• Ongoing requests may still succeed without visibility.
• Failed requests are grouped under “apikey:UNKNOWN”.

This aggregation complicates incident response, as security teams cannot easily attribute activity to a specific deleted key.

Not all Google credentials exhibit the same delay:

• Service account keys: revoked in ~5 seconds.
• New Gemini API keys (AQ prefix): revoked in ~1 minute.
• Legacy API keys: up to 23 minutes.

This disparity suggests that faster revocation is technically feasible but not implemented for standard API keys.

Aikido researcher Joe Leon said Google marked the issue as “won’t fix,” describing the delay as expected behavior in eventually consistent systems rather than a security flaw.

While Google documents eventual consistency in IAM systems, it does not explicitly warn users about delayed API key revocation.

Security Implications

Delayed revocation contradicts typical expectations that deleting credentials immediately blocks access. Even short delays can be exploited, as prior cloud security research demonstrates.

For organizations using Google Cloud, this creates several risks:

• Continued access after credential compromise.
• Lack of visibility into active misuse.
• Difficulty enforcing just-in-time (JIT) credential strategies.

Until changes are implemented, security teams should adjust their response strategies:

• Treat API key deletion as a 30-minute process rather than an immediate one.
• Monitor API usage closely after deletion for suspicious activity.
• Rotate keys proactively and minimize exposure in public repositories.
• Prefer service account keys or newer credential types where possible.

This discovery highlights a broader challenge in cloud security: balancing scalability with strict authentication guarantees. In the case of Google API keys, the current model leaves a critical gap that attackers can exploit during the revocation window.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.