Google API keys remain active for 23 minutes after you delete them

Security researcher Joe Leon from the startup Aikido Security decided to test how fast the big cloud providers actually revoke access when a user hits "delete." While testing Google Cloud Platform (GCP), he discovered that deleted API keys continue to authenticate requests for a median of 16 minutes, and in some tests, for up to 23 minutes.

This means a hacker who already has their hands on a compromised key can keep querying the servers, blissfully uninterrupted. If the target project has Gemini enabled, the intruder can use this generous grace period to download files or steal cached messages, while the GCP console proudly claims the key no longer exists.

The research was inspired by a similar test on Amazon Web Services (AWS), where credentials remained active after deletion for a grand total of four seconds, a delay that Amazon immediately patched. Google's delay, by comparison, looks like a geological epoch.

To prove this was not a fluke, the Aikido team ran tests across different geographical regions, sending up to five requests per second. The results were wildly erratic, with success rates of deleted keys reaching 79% in some regions after a full minute, while others dropped to 5%, seemingly dependent on how far the server was from the US.

When the researchers politely reported this security loophole to the tech giant, Google shrugged, labeled the issue as "not a bug" and closed the ticket. Interestingly, the company revokes other types of credentials within five seconds, proving that fixing this is entirely possible but apparently not worth their coffee break.

It is truly beautiful how a trillion-dollar company can redefine the word "deleted" to mean "mostly dead but still chatting." Security teams are now forced to sit on their hands for half an hour after an incident, praying the hackers get bored before the infrastructure actually decides to update itself.

Source: Dark Reading