Overview
Google’s introduction of the Gemini API created a serious security vulnerability where previously harmless public API keys suddenly gained access to sensitive capabilities without developer awareness. The issue stems from Google Maps and Gemini sharing the same API key system, turning public identifiers into secret credentials overnight.
The Breakdown
- Google Maps API keys are designed to be public and embedded directly in web pages since they only access non-sensitive mapping data - this was the original security model
- When Gemini API gets enabled on the same Google Cloud project, existing Maps keys automatically inherit access to sensitive Gemini endpoints - developers receive no warning about this privilege escalation
- The same key that was safely public can now access private files and make billable API requests through Gemini - turning a public identifier into a secret credential
- Truffle Security discovered 2,863 exposed API keys in web crawl data that could access Gemini, including Google’s own keys - some predating Gemini’s existence by years
- This creates an accidental privilege escalation where developers unknowingly expose sensitive capabilities - the security context changed without explicit developer action