Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Google API Key Revocation Delay Poses Security Risks

Google API Key Revocation Delay Poses Security Risks

Posted on May 22, 2026 By CWS

Recent findings reveal a vulnerability in Google Cloud’s API key management, where deleted keys may remain operable for up to 23 minutes. This delay poses potential security risks to projects relying on critical services such as Gemini, BigQuery, and Google Maps.

Research conducted by Aikido highlights a significant concern: the lag in credential invalidation across Google’s infrastructure. When a Google API key is deleted, the revocation does not occur instantaneously. Instead, the invalidation process gradually spreads across distributed systems, leading to a ‘revocation window’ during which unauthorized access remains possible.

Delayed Revocation Across Services

The most extended revocation window observed was approximately 23 minutes, with the shortest being around 8 minutes and a median duration of 16 minutes. During this window, attackers with compromised keys can continue to use API services, as some backend systems may still validate the deleted keys.

Particularly alarming is the impact on high-value services. For instance, if a leaked key offers access to the Gemini API, it could allow attackers to retrieve files, access cached data, and interact with AI endpoints. This problem is not isolated to one service but affects others like BigQuery and Maps APIs, suggesting a systemic issue within the API key infrastructure.

Experimental Findings and Impact

In controlled experiments, researchers repeatedly created and deleted API keys, sending several authenticated requests post-deletion. They found that the success rate of these requests varied unpredictably. Some trials saw up to 79% success shortly after key deletion, while others dropped to 5%, indicating inconsistent enforcement.

Tests across various Google Cloud regions further illustrated this inconsistency, with median success rates of around 49% in us-east1 and europe-west1, and about 22% in asia-southeast1. Surprisingly, some distant regions invalidated keys faster than those closer, hinting at infrastructural factors affecting revocation timing.

Security Concerns and Recommendations

This delay in key revocation presents significant security challenges. The immediate disappearance of deleted keys from the Google Cloud Console interface, yet ongoing successful requests, complicates incident response. Failed requests are aggregated under ‘apikey:UNKNOWN,’ making it hard for security teams to track specific deleted key activity.

Different types of Google credentials exhibit varied revocation times. Service account keys revoke in roughly 5 seconds, new Gemini API keys in about 1 minute, while legacy keys can take up to 23 minutes. This variance indicates that faster revocation is possible but not uniformly applied.

Google has labeled this issue as ‘won’t fix,’ citing it as expected behavior in eventually consistent systems rather than a security flaw. Nonetheless, this delay contradicts typical security expectations and poses several risks, such as prolonged access after key compromise and difficulty enforcing just-in-time credential strategies.

To mitigate these risks, organizations are advised to treat API key deletion as a 30-minute process, closely monitor API usage post-deletion, and proactively rotate keys. Preference should be given to service account keys or newer credential types to minimize exposure.

This situation underscores a broader challenge in cloud security: balancing scalability with stringent authentication assurances. The current model of Google API keys leaves a critical window that attackers could exploit, necessitating heightened vigilance from security teams.

Cyber Security News Tags:API key revocation, API key vulnerability, API security, BigQuery, cloud infrastructure, cloud security, credential management, Cybersecurity, eventual consistency, Gemini API, Google Cloud, Google Maps, IAM systems, key rotation, security risks

Post navigation

Previous Post: Ubiquiti Releases Critical Updates for UniFi OS Vulnerabilities
Next Post: INJ3CTOR3 Hackers Exploit FreePBX Systems with Six-Layer Tactics

Related Posts

Oracle E-Business Suite Vulnerability Actively Exploited Oracle E-Business Suite Vulnerability Actively Exploited Cyber Security News
Critical Windows Notepad Flaw Enables Remote Code Execution Critical Windows Notepad Flaw Enables Remote Code Execution Cyber Security News
Malicious App on Google Play Poses Serious Security Threat Malicious App on Google Play Poses Serious Security Threat Cyber Security News
ZAP JavaScript Engine Memory Leak Issue Impacts Active Scan Usage ZAP JavaScript Engine Memory Leak Issue Impacts Active Scan Usage Cyber Security News
Cybercriminals Exploit Homoglyphs to Mimic Trusted Websites Cybercriminals Exploit Homoglyphs to Mimic Trusted Websites Cyber Security News
Hackers are Moving to “Living Off the Land” Techniques to Attack Windows Systems Bypassing EDR Hackers are Moving to “Living Off the Land” Techniques to Attack Windows Systems Bypassing EDR Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • VECT and TeamPCP: Unveiling the Ransomware Supply Chain Strategy
  • Global Expansion of Gentlemen Ransomware Threats
  • Critical Flaw in Google Dialogflow CX Exposed
  • Vulnerability in GCP Dialogflow Enables Malicious Code Injection
  • Gitea Vulnerability Exploited Actively, Experts Alert

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • VECT and TeamPCP: Unveiling the Ransomware Supply Chain Strategy
  • Global Expansion of Gentlemen Ransomware Threats
  • Critical Flaw in Google Dialogflow CX Exposed
  • Vulnerability in GCP Dialogflow Enables Malicious Code Injection
  • Gitea Vulnerability Exploited Actively, Experts Alert

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark