Deleted Google API Keys Remain Active for Up to 23 Minutes, Posing Security Risks

📌 A study by Aikido Security found that deleted Google API keys remain active for up to 23 minutes after deletion, leaving services such as Google Cloud Platform (GCP), Gemini, BigQuery, and Google Maps vulnerable to unauthorized access. The delay in key revocation exposes sensitive data and resources to potential attackers during the window between deletion and actual deactivation. No specific CVE ID or exact date of the discovery was mentioned in the report. The vulnerability affects organizations relying on Google’s API key management for cloud and data services. The impact includes potential data breaches, unauthorized API calls, and exploitation of cloud resources.