The article explains that Google Cloud API keys that developers used to treat as safe to publish, like keys embedded in public JavaScript for Maps or other services, can now often act like real credentials for the Gemini API. Researchers found roughly 2,800 exposed keys in public code that could authenticate to Gemini, creating a risk that attackers could access Gemini connected data or rack up usage charges on someone else’s account. The core issue is that the same key format is being used for both public identification and sensitive authentication, so older keys can gain unexpected power once Gemini is enabled. The recommended fix is to check whether the Generative Language API is enabled in each project, audit which keys can reach it, lock them down, and rotate any that were ever exposed. For everyday users, the advice is mostly to be careful what you connect Gemini to, review third party access, and watch for unusual usage or billing spikes.

Recent news