Deleted Google API Keys Remain Active for Up to 23 Minutes After Deletion, Exposing GCP Services
What Happened — A recent independent study discovered that Google Cloud API keys continue to function for as long as 23 minutes after a user deletes them via the console or API. During this window, threat actors can still invoke services such as BigQuery, Gemini, Maps, and other GCP APIs, potentially harvesting sensitive data or incurring unauthorized charges.
Why It Matters for TPRM —
- The revocation delay creates a predictable window for credential abuse, increasing third‑party risk for any organization that outsources workloads to Google Cloud.
- Unchecked API usage can lead to data exfiltration, cost inflation, and compliance violations that flow back to the primary vendor relationship.
- Existing risk assessments that assume immediate key invalidation may underestimate exposure.
Who Is Affected — Cloud‑first enterprises, SaaS providers, data‑analytics firms, and any organization that integrates Google Cloud APIs (e.g., FIN_SERV, TECH_SAAS, RETAIL_ECOM, GOV_PUBLIC).
Recommended Actions —
- Review all active Google API keys and enforce a “rotate‑and‑revoke” policy with minimal exposure time.
- Implement monitoring for API calls on keys scheduled for deletion and set alerts for any activity within the 30‑minute window.
- Engage Google Cloud account teams to confirm they are aware of the revocation lag and request any available mitigations (e.g., immediate revocation via support tickets).
Technical Notes — The issue stems from an internal propagation delay in Google’s API‑key revocation workflow, not a disclosed CVE. Attackers can exploit the window via automated scripts that repeatedly attempt calls using the soon‑to‑be‑deleted key. Exposed data includes project metadata, query results, geolocation data, and AI model outputs. Source: HackRead