Google Cloud API Keys Remain Active for Up to 23 Minutes After Deletion, Exposing a Critical Access Window
What Happened — A security researcher found that Google Cloud API keys continue to function for an average of 23 minutes after a user deletes them via the console or API, despite Google’s claim that deletions are immediate. The delay creates a short‑lived window where the keys can still be used to access Google services.
Why It Matters for TPRM —
- Third‑party applications that rely on Google APIs may retain active credentials after a revocation request, risking unauthorized data access.
- The latency can be exploited by threat actors who obtain a key shortly before deletion, allowing them to exfiltrate data or perform malicious actions.
- Vendors and customers must reassess key‑rotation and revocation processes to ensure no residual access remains.
Who Is Affected — Cloud‑service users across all sectors (tech, finance, healthcare, retail, etc.) that integrate Google Cloud APIs, especially those managing high‑privilege service accounts.
Recommended Actions —
- Verify that any decommissioned API keys are fully revoked before re‑using or discarding them.
- Implement automated monitoring to detect API calls from keys flagged for deletion.
- Adjust key‑rotation policies to account for a 30‑minute grace period after deletion.
- Engage Google support to confirm the expected revocation timeline and request any available hard‑delete options.
Technical Notes — The issue stems from an internal propagation delay within Google’s credential management system; no CVE has been assigned. Affected keys can still invoke any API scopes they were originally granted, including Cloud Storage, BigQuery, and IAM‑related endpoints. Source: Dark Reading