Hackers use leaked keys - Historico da BBS TELESC.NET.BR

BBS:      TELESC.NET.BR
Assunto:  Hackers use leaked keys
De:       Mike Powell
Data:     Sun, 12 Apr 2026 11:11:29 -0500
-----------------------------------------------------------
'$15K bill destroyed a solo developers startup': How hackers are using leaked
Google API keys to go wild with Gemini AI for free

Date:
Sat, 11 Apr 2026 17:35:00 +0000

Description:
Developers public API keys now function as live Gemini AI credentials,
enabling attackers to run costly and unauthorized operations.

FULL STORY
AI Developers are facing severe consequences as exposed Google API keys are
exploited to access Gemini AI without authorization, leading to significant
financial losses, experts have warned. 

Security researchers from CloudSek found the root cause of these incidents
lies in the unintended elevation of publicly available API keys into live
Gemini AI credentials. Many developers have long embedded keys for services
like Maps or Firebase in public-facing applications, following Googles
official guidance - never anticipating these keys would gain access to the AI
infrastructure.  One case involved a solo
developer whose startup nearly collapsed after an attacker used a publicly
accessible key to flood Gemini AI with inference requests. 

The developer revoked the key within minutes of receiving a billing alert, 
yet due to a reporting lag in Google Clouds billing system, the charges had
already reached $15,400. 

Similarly, a Japanese company experienced approximately $128,000 in
unauthorized Gemini API usage, despite firewall -level IP restrictions. 

Also, a small development team in Mexico saw an $82,314 spike in only 48
hours, a dramatic 455-times increase over typical spending.

This issue does not stem from developer negligence; the implementations were
compliant with Googles prescribed guidelines, said Tuhin Bose, cybersecurity
researcher at CloudSEK. 

He explained the architecture effectively converted non-sensitive identifiers
into authentication tokens, creating a systemic vulnerability across numerous
applications. 

CloudSEKs research identified 32 exposed Google API keys across 22 Android
applications with a combined install base exceeding 500 million users.
The affected apps include household names such as OYO Hotel Booking App,
Google Pay for Business, Taobao, and ELSA Speak. 

Researchers confirmed data exposure in ELSA Speak when they accessed
user-submitted audio files via the Gemini Files API. 

The vulnerability allows attackers to perform unlimited Gemini API calls,
access sensitive user data, and exhaust organizational API quotas. 

It can also persist through app update cycles, severely impacting both
developers and end users. 

Developers who had followed Googles guidance now unknowingly hold live
credentials to powerful AI tools without notification or opt-in prompts. 

Technical measures such as revoking keys and restricting project permissions
can mitigate exposure. 

However, the financial and operational impact on developers is substantial,
suggesting that current practices for handling API keys and AI integrations
require immediate reevaluation. 

Exposure of hardcoded credentials demonstrates the risks inherent in assuming
backward compatibility for modern AI-enabled cloud services.

Link to news story:
https://www.techradar.com/pro/security/usd15k-bill-destroyed-a-solo-developers
-startup-how-hackers-are-using-leaked-google-api-keys-to-go-wild-with-gemini-a
i-for-free

$$
--- SBBSecho 3.28-Linux
 * Origin: Capitol City Online (1:2320/107)

-----------------------------------------------------------
[Voltar]