Cybersecurity researchers have uncovered a serious security flaw that affects Google Cloud API keys. This vulnerability could allow attackers to access sensitive data through Gemini interfaces if a specific programming interface is enabled. According to The Hacker News, these keys, originally meant to identify projects for billing purposes, could now become a way for unauthorized parties to access private content and data without the owners' knowledge. Research findings show that around 2,863 API keys are currently exposed online, embedded within the code of websites offering various services, like Google Maps. If the Gemini API is active, anyone with these exposed keys could view uploaded files and cached data. They could also consume the project's AI resources, potentially leading to significant financial costs for the account owner, who would be completely unaware. The researchers noted that some new keys are created with "unrestricted" permissions by default. This means they can access all active programming interfaces within a project, including Gemini, even if they weren't specifically intended for that. This significantly increases the risk, making these keys easy targets for hackers to exploit. To illustrate the scale of the problem, one user on Reddit shared that they incurred over $82,000 in charges in just two days due to a stolen API key, while their usual monthly spending was around $180. This highlights the severe financial risk that this vulnerability poses. Cybersecurity experts emphasize that companies and developers must review all active API keys, especially those linked to AI services. They should replace any old keys that might have been publicly exposed and monitor for any unusual activity to prevent financial exploitation and the leakage of sensitive data. Specialists pointed out that the continuous expansion of API capabilities and their access to larger amounts of data increases the overall risk. This makes protecting digital keys a fundamental step, no longer just a traditional technical measure, but a necessity to avoid financial losses and the leakage of critical information that could threaten both companies and users.
Tags
Related editorial
Qualcomm, Aramco, and Humanain Announce 10 Startups for Saudi AI Program DISAI 2026
Qualcomm, Aramco, and Humanain have teamed up to select 10 exciting startups for the DISAI 2026 program. This initiative aims to supercharge AI innovations, with 8 Saudi companies and 2 international firms joining the cohort.
Anthropic's 'Project Mythos' Explores How AI Models Build Their Own Digital Societies
Anthropic's exciting new 'Project Mythos' experiment dives deep into how AI models interact and form communities in virtual worlds. This groundbreaking research arrives just as top AI companies are all racing to develop the next generation of super-smart AI agents, making it super important to understand how these digital minds might work together.
Meet the 13 Innovative Startups Joining EdVentures and Mastercard Foundation's EdTech Fellowship in Egypt
The third group of startups joining the Mastercard Foundation EdTech Fellowship in Egypt is here! Many of these innovative companies are tackling big challenges for underserved communities, including women, youth, and people with disabilities. Others are focused on helping learners gain future-ready skills, boost their job prospects, and open up wider economic opportunities. This program, a partnership between EdVentures and Mastercard Foundation, is all about empowering these promising EdTech ventures.
Egypt Boosts Cybersecurity with New Regulations and 49 Licensed Companies
Egypt is making big moves to strengthen its cybersecurity landscape! The country is actively developing new laws and regulations to keep up with digital threats and encourage more private companies to get involved. This push aims to boost competition, improve service quality, and spark innovation in the market, with 49 companies already officially licensed.