Deleting an API key feels definitive. You go to the console, hit delete, and assume it's gone. That's not quite what happens.
Security researchers at Aikido found that Google's infrastructure has a revocation lag of 16–23 minutes after you delete an API key. During that window, some servers still accept it. It's not a bug — it's a consequence of how distributed systems propagate invalidation state.
What This Means in Practice
If someone steals a key and you catch it quickly, there's a real window where the attacker can still use it. In the context of Google Gemini, that's meant people's uploaded context getting pulled, and in some cases, billing caps getting lifted from the default tier to much higher limits before anyone notices.
The billing cap issue is the part that's easy to miss. Google's auto-tiering can raise limits automatically — so an attacker with a valid (but supposedly deleted) key might be able to trigger billing increases that stick around after the key actually becomes invalid.
What You Can Do
- Treat key deletion as a process, not an instant state change
- Monitor your billing metrics closely after any suspected compromise — the window matters
- Consider using project-level keys with tighter scopes so a compromise limits blast radius
- For high-risk keys, rotate before you delete — don't rely on deletion alone as your security control
AWS has a similar issue with IAM credentials: about a 4-second revocation window. It's a distributed systems reality, not a vendor failure.
The takeaway isn't that Google is insecure. It's that revocation is a propagation process, not a toggle. Know your window.
Source: The Register / Aikido Security
Top comments (0)