CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Google Cloud Platform API Key Revocation Delays Beyond UI Confirmation

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

Research from Aikido Security reveals that Google Cloud Platform (GCP) API keys remain active for a median of 16 minutes and up to 23 minutes after deletion, creating a critical window for attackers to exploit deleted credentials. The revocation delay varies significantly by region, with authentication success rates ranging from 5% to 79% within the first minute post-deletion. Attackers holding deleted API keys can continue making authenticated requests until Google’s infrastructure propagates the revocation, potentially exfiltrating data via enabled services like Gemini. The GCP console falsely indicates immediate revocation, leaving organizations unaware of ongoing exposure.

Timeline

  1. 21.05.2026 23:07 1 articles · 1h ago

    GCP API Key Revocation Delays Exceed User Expectations, Enabling Prolonged Exploitation

    Aikido Security’s analysis demonstrates that GCP API keys remain active for 16–23 minutes post-deletion, with success rates varying by region. Attackers can exploit this window for continued API access, including data exfiltration via enabled services like Gemini. The GCP console falsely indicates immediate revocation, and Google has marked the issue as "won’t fix," leaving organizations to implement manual monitoring (e.g., 30-minute windows) to detect exploitation.

    Show sources
    Open in new tab

Information Snippets

  • Google Cloud Platform (GCP) API keys remain active for a median revocation window of 16 minutes and up to 23 minutes after deletion, enabling continued authentication.

    First reported: 21.05.2026 23:07
    1 source, 1 article
    Show sources

  • Aikido Security’s tests demonstrated unpredictable authentication success rates post-deletion, ranging from 5% to 79% within the first minute, with regional disparities (e.g., 22% success in asia-southeast1 vs. 49% in us-east1 and europe-west1).

    First reported: 21.05.2026 23:07
    1 source, 1 article
    Show sources

  • Attackers with deleted API keys can exploit the delay to send authenticated requests, potentially dumping uploaded files or exfiltrating cached conversations via enabled services like Gemini.

    First reported: 21.05.2026 23:07
    1 source, 1 article
    Show sources

  • Google’s GCP console falsely claims API keys are immediately inactive after deletion, misleading users about the true revocation state.

    First reported: 21.05.2026 23:07
    1 source, 1 article
    Show sources

  • Aikido Security recommended a 30-minute monitoring window post-deletion to account for revocation delays and advised reviewing API requests by credential in the GCP console for unexpected activity.

    First reported: 21.05.2026 23:07
    1 source, 1 article
    Show sources

  • Google closed Aikido Security’s report as "won’t fix," though alternative credential types (e.g., service account deletions) propagate revocations in approximately five seconds.

    First reported: 21.05.2026 23:07
    1 source, 1 article
    Show sources