The Discovery
In November 2025, Truffle Security researchers made an alarming discovery: Google AI Studio API keys—commonly embedded in public code for services like Google Maps—could also access the powerful Gemini AI API without developers’ knowledge or explicit permission.
The security firm found 2,863 live API keys deployed across public websites, including major financial institutions, security companies, and even Google’s own infrastructure. These keys, designed for seemingly benign purposes like map embeds, suddenly had access to sophisticated AI capabilities.
How It Worked
The vulnerability stemmed from Google’s API architecture. When developers enabled the Generative Language API for a project, existing API keys would automatically gain access to Gemini services. This meant that what developers thought were harmless, public-facing credentials could suddenly execute AI operations.
Truffle Security initially reported the issue to Google’s Vulnerability Disclosure Program on November 21, 2025. Google’s first response dismissed the behavior as intended. It wasn’t until December 1st, when Truffle provided proof-of-concept demonstrations using keys from Google’s own public-facing websites, that the severity became undeniable.
Google’s Response
By December 2nd, Google changed course, reclassifying the issue from a Customer Issue to a Bug and committing to remediation. The company outlined a three-part fix:
- New API keys created through AI Studio now default to Gemini-only access, preventing privilege escalation
- Google began blocking leaked API keys when detected accessing Gemini APIs
- Proactive notifications now alert developers when potentially leaked keys are identified
What Developers Should Do
For organizations using Google Cloud Platform, immediate auditing is essential. Check whether the Generative Language API is enabled in any projects via the Cloud Console. Review all API key configurations for unrestricted settings or explicit Generative Language API permissions.
Tools like TruffleHog can scan codebases for exposed keys.
Takeaway
This incident highlights a fundamental tension in modern API design: convenience versus security. Google’s initial assumption—that developers would understand the permission model—proved dangerous in practice. The episode serves as a reminder that API keys should always be treated as sensitive credentials, regardless of their intended scope.
Image credit: Trufflesecurity