Mastodawn

1. Tell everybody that your API keys aren‘t secret and it’s safe to publish them on your website.
2. Protect sensitive AI assistant content with the same kind of API keys.
3. Retroactively allow active API keys to access the sensitive content.
4. What could possibly be going wrong?! 🔥

Probably the worst vulnerability Google has ever deployed to prod: https://trufflesecurity.com/blog/google-api-keys-werent-secrets-but-then-gemini-changed-the-rules

Google API Keys Weren't Secrets. But then Gemini Changed the Rules. ◆ Truffle Security Co.

Google spent over a decade telling developers that Google API keys (like those used in Maps, Firebase, etc.) are not secrets. But that's no longer true.

Show thread

Felix Dreissig Feb 27

I now created* and released a script to check a whole GCP Organization for API keys affected by this issue. Use at your own discretion:
https://gist.github.com/F30/9fd4d4cbcfe11c6aabe44e5cc9d8358d

(*) vibe-coded and manually reviewed

Check for GCP API keys affected by the retroactive enablement of the Generative Language (Gemini) API. See https://trufflesecurity.com/blog/google-api-keys-werent-secrets-but-then-gemini-changed-the-rules for details. Use at your own discretion, provided 'as is' without any warranties or liability for potential issues.

Check for GCP API keys affected by the retroactive enablement of the Generative Language (Gemini) API. See https://trufflesecurity.com/blog/google-api-keys-werent-secrets-but-then-gemini-changed-th...

Gist

Show thread

Felix Dreissig Mar 6

I‘m now also contributing a Prowler check to detect the situation: https://github.com/prowler-cloud/prowler/pull/10280