Mastodawn

This is really a "WTF how could they ever think this is a good idea?" kind of vulnerability. Usually the kind of stuff you get from shady, incompetent startups, but this is Google...
https://trufflesecurity.com/blog/google-api-keys-werent-secrets-but-then-gemini-changed-the-rules

Google API Keys Weren't Secrets. But then Gemini Changed the Rules. ◆ Truffle Security Co.

Google spent over a decade telling developers that Google API keys (like those used in Maps, Firebase, etc.) are not secrets. But that's no longer true.

Show thread

Gaelan Steele Feb 26

@hanno why is this report so many goddamn words. it’s at least 50% LLM fluff by volume

(yes the bug is incredibly silly too, but c’mon)

Show thread

Andrea Lazzarotto

@Gaelan @hanno I read the whole thing and it does not show any signs of being LLM content.

It’s quite a solid piece of research that, unlike many other posts, actually explain the vulnerability in terms that can be understood even by junior developers.