Full Report
Plenty of time for bad actors to grab data or hit you with a giant bill
Analysis Summary
# Industry News: Google’s 23-Minute API Revocation Gap Exposed
## Summary
Security researchers at Aikido have discovered that deleted Google API keys remain functional for up to 23 minutes due to infrastructure propagation delays. This vulnerability, combined with Google’s automatic billing tier escalations, creates a high-risk window for catastrophic financial loss and data exfiltration.
## Key Details
- **Date:** May 21, 2026
- **Companies Involved:** Google (Alphabet Inc.), Aikido (Security Research Firm)
- **Category:** Vulnerability Research / Cloud Security / Platform Policy
## The Story
Research conducted by Aikido reveals a significant "propagation gap" in Google Cloud Platform’s (GCP) credential management. When a developer deletes a compromised API key, the change is not instantaneous across Google’s global server network. In ten trials across various global regions, researchers found that while some servers rejected keys immediately, others continued to authenticate requests for nearly 23 minutes.
This lag is particularly dangerous because of how Google manages "Gemini" (AI) API billing. If an account has spent over $1,000 historically, Google may automatically hike a user's spending cap from $250 to $100,000 during a usage spike. Attackers who obtain a leaked key can flood Google's infrastructure with requests; even if most servers reject the key, the "un-synced" servers provide a foothold to run up massive bills or exfiltrate sensitive data from AI-cached conversations and uploaded files.
## Business Impact
### For the Companies Involved
- **Google:** Faces reputational risk regarding their "Won't Fix" stance on a known security gap. The company has already had to refund over $150,000 to affected developers, indicating a direct financial drain from these "intended" system behaviors.
- **Aikido:** Solidifies its position as a high-value threat research entity in the cloud security posture management (CSPM) space.
### For Competitors
- **AWS & Azure:** May gain a competitive edge in "security-conscious" developer circles. AWS’s similar propagation gap was measured at only four seconds, significantly reducing the "blast radius" compared to Google’s 23 minutes.
### For Customers
- **Developers/SMBs:** High financial risk. A single leaked key can lead to six-figure debt before the "delete" command fully propagates.
- **Enterprises:** Increased risk of data exfiltration, specifically involving sensitive IP stored in Gemini AI contexts.
### For the Market
- **Cloud Governance:** This news highlights the danger of "automatic scaling" in cloud billing, potentially leading to a demand for more granular "hard caps" on API spending that cannot be overridden by AI-driven usage spikes.
## Technical Implications
The issue stems from **Eventual Consistency** in distributed systems. While Google’s newer "AQ-prefix" keys rotate in ~1 minute and Service Accounts in ~5 seconds, legacy API keys rely on slower propagation paths. Attackers can exploit this by using high-volume automated scripts to "search" for servers that haven't yet received the revocation update.
## Strategic Analysis
- **Market Positioning:** Google is prioritizing system performance/availability (avoiding the overhead of instantaneous global sync) over immediate security consistency.
- **Competitive Advantage:** Attackers have a mathematical advantage during the 23-minute window; by sending requests at a high frequency, they maximize the probability of hitting a non-updated server.
- **Challenges:** Google’s internal assessment labeled a fix as "Infeasible," suggesting that a solution would require a fundamental and costly re-architecture of their global credential caching system.
## Industry Reactions
- **Aikido Researchers:** Critical of the discrepancy between Google’s different credential types, noting that since Service Accounts sync in 5 seconds, the 23-minute gap for API keys is "technically solvable."
- **Market Response:** Growing frustration among developers regarding Google’s "automatic tier upgrades," which shift the financial risk of security breaches from the provider to the user.
## Future Outlook
- **Predictions:** Expect a rise in "API Key Ransomware" where attackers don't just steal data, but threaten to "bill-bomb" a company unless a ransom is paid.
- **What to Watch for:** Whether Google bows to pressure to implement "Hard Billing Kill-Switches" that override propagation delays by halting all project traffic.
## For Security Professionals
- **Immediate Action:** Audit all GCP projects for "legacy" API keys. Transition to Service Accounts or the newer Gemini key formats (starting with "AQ") where possible, as these have faster revocation times.
- **Monitoring:** Implement real-time monitoring for API usage spikes. Do not rely on deletion as an immediate remedy; if a key is leaked, consider the project compromised for at least 30 minutes post-revocation.
- **Best Practice:** Use "Secret Management" tools to avoid hardcoding keys, and strictly limit API key scopes to the bare minimum required.