Bottom line: Google API keys continue to function for up to 23 minutes after deletion, posing a security risk and contradicting Google’s promise of immediate deactivation.
A security researcher discovered that Google API keys can still be used for up to 23 minutes after deletion – despite the cloud provider promising immediate deactivation.
A security researcher has uncovered a remarkable security vulnerability at Google Cloud: API keys can remain active and continue to function for up to 23 minutes after deletion, even though Google promises that deactivation happens immediately. This delay in propagating the deletion through Google’s systems poses a significant security risk. Deleted or compromised API keys could still be abused by malicious actors during this window to access sensitive Google Cloud resources and services. The research raises questions about the reliability of Google’s security measures and the actual response times for critical security incidents.