Google API Key Issue Allows Deleted Keys to Retain Access to Cloud Services

[harlan4096]

Google Cloud API keys may continue functioning for up to 23 minutes after deletion, exposing a significant security gap that could allow attackers to retain unauthorized access to cloud services even after credentials are revoked.

Google API Deleted Keys to Retain Access

Security researchers from Aikido, led by Joe Leon, discovered that deleted Google API keys do not immediately lose access as expected. Instead, revocation propagates gradually across Google’s distributed infrastructure, creating a “revocation window” during which the key remains intermittently valid.

In testing across 10 trials, researchers observed:

• Maximum revocation delay of approximately 23 minutes
  
• Minimum delay of around 8 minutes
  
• Median revocation time of roughly 16 minutes
  

During this window, authentication behavior was inconsistent. Some requests failed instantly, while others continued to succeed depending on which backend servers processed them. This inconsistency allows attackers with a leaked API key to continue making requests until all systems fully recognize the deletion.

Continue Reading...