1. Forum
  2. tqwNet
  3. TQW GENTECH

  • 'You have no way to revoke it faster or confirm when it stops wor

    From TechnologyDaily@1337:1/100 to All on Fri May 22 19:45:27 2026
    'You have no way to revoke it faster or confirm when it stops working': Experts find Google API keys are still usable, even after you delete them

    Date:
    Fri, 22 May 2026 18:35:00 +0000

    Description:
    For more than 20 minutes after deletion, some Google API keys can still be used, apparently creating a major security gap.

    FULL STORY ======================================================================Copy link Facebook X Whatsapp Reddit Pinterest Flipboard Threads Email Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Subscribe to our newsletter Aikido researchers find Google API keys remain usable for up to 23 minutes after deletion Success rates varied across trials, with Geminienabled projects especially vulnerable to stolen files and cached conversations Google dismisses issue as propagation delay, but Aikido advises treating deletion as a 30minute window and monitoring for unexpected usage If, when you delete a Google API key, expect it to no longer work - effective immediately - we have a surprise for you.

    Researchers from Aikido found users can successfully authenticate up to 23 minutes after deletion, creating a gigantic security risk and a major opportunity for threat actors. The worst part is that users have almost no
    way of knowing when the authentication window closes and can do absolutely nothing to speed it up. Latest Videos From You may like Hackers are using leaked Google API keys to go wild with Gemini AI for free Security study
    finds thousands of API credentials exposed on the web for years 'What if the AI agent you just deployed was secretly working against you?': Vertex AI 'double agent' flaw exposes customer data and Google's internal code "False statements" In its report, Aikido described running 10 trials over two days, creating and deleting API keys while sending 3-5 authenticated requests per second, to measure the revocation window.

    What they found was rather inconsistent: the longest window was 23 minutes, while the shortest one was 8 minutes.

    The team also said success rates were highly unpredictable, as one trial saw 79% of requests succeed a minute after deletion, while another only 5%. The issue gets even worse for projects where Gemini is enabled, Aikido further stressed. Threat actors can dump uploaded files and exfiltrate cached conversations using the deleted key with relative ease.

    The report slammed Google for misleading user interface, which tells users
    who deleted their keys "Once deleted, it can no longer be used to make API requests." Are you a pro? Subscribe to our newsletter Sign up to the
    TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed! Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners
    or sponsors By submitting your information you agree to the Terms &
    Conditions and Privacy Policy and are aged 16 or over.

    That statement is demonstrably false, Aikido said. The user has no way to
    know whether the key is still live, no way to speed up revocation, and no way to confirm when it has fully stopped working.

    Google responded to Aikidos disclosure by closing the report and saying it wouldnt fix it. The team's position, as we understand it, is that propagation delay is a known property of the system and not a security issue, the report says.

    There might not be a fix or a workaround, but Aikido does discuss a mitigation. Key deletion should be treated as a 30-minute operation, and during that window users should monitor "Enabled APIs and services" in GCP console for unexpected usage from the deleted credential. The best antivirus for all budgets Our top picks, based on real-world testing and comparisons

    Read our full guide to the best antivirus 1. Best overall: Bitdefender Total Security 2. Best for families: Norton 360 with LifeLock 3. Best for mobile: McAfee Mobile Security Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/you-have-no-way-to-revoke-it-faster-or- confirm-when-it-stops-working-experts-find-google-api-keys-are-still-usable-ev en-after-you-delete-them


    --- Mystic BBS v1.12 A49 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)