FeedApplication SecurityGoogle “Won’t Fix” API key staying active for 23 mins after ...
Application SecurityCyber Insider
6.5HIGH

Google “Won’t Fix” API key staying active for 23 mins after deletion

📅 21 May 2026 at 18:02 UTC📰 Cyber InsiderView original source ↗
Google “Won’t Fix” API key staying active for 23 mins after deletion

Deleted Google API keys remain valid for up to 23 minutes after revocation, potentially allowing attackers to continue accessing Google Cloud services and Gemini data long after the credentials have been disabled. Google acknowledged the behavior following a report by Aikido, but closed the report as “won’t fix,” describing the propagation delay as an expected … The post Google “Won’t Fix” API key staying active for 23 mins after deletion appeared first on CyberInsider.

🤖 AI BriefingAuto-generated threat analysis
🔍Threat Overview

Google API keys remain valid for up to 23 minutes after deletion, allowing attackers to access Google Cloud services and Gemini data during this time. This delay in revocation creates a window of opportunity for threat actors to exploit compromised credentials.

⚙️Technical Details
💥Impact Assessment
Severity: high
🛡️Recommended Actions
1Implement additional authentication mechanisms to mitigate the impact of delayed revocation
2Regularly monitor API key usage and revocation status for suspicious activity
3Consider using alternative credential systems with faster revocation times
📦Affected Products
Google Cloud PlatformGemini APIs

Read the full article

This is a curated summary. The complete article is available at Cyber Insider.

Read on Cyber Insider
← Back to feed