WingNews logo WingNews
top | item 47161734

(no title)

warmedcookie | 3 days ago

What's frustrating is that a lot of these keys were generated a long time ago with a small amount of GCP services that they could connect to. (Ex. Firebase remote config, firestore, etc.)

When Gemini came around, rather than that service being disabled by default for those keys, Gemini was enabled, allowing exploiters to easily utilize these keys (Ex. a "public" key stored in an APK file)

discuss

order

decimalenough|3 days ago

Gemini API is not enabled by default, a project owner has to go explicitly enable it.

The problem described here is that developer X creates an API key intended for Maps or something, developer Y turns on Gemini, and now X's key can access Gemini without either X or Y realizing that this is the case.

The solution is to not reuse GCP projects for multiple purposes, especially in prod.

rezonant|3 days ago

Please see my response to your pasted comment in another thread: for many APIs that you can enable on a GCP project, you are intended to use the same GCP project across the whole application for quota tracking. Google even makes you assert that you are only using one GCP project (or at least list out all GCP projects, which APIs are enabled on them and what their purpose is and why you have more than one) when seeking approval for public facing OAuth.

alphalima|3 days ago

You are wrong that increasing projects have no cost; many services have project based costs (Cloud Armour rules cannot be used cross project at the base tier), many services (mostly observeability) degrade significantly cross project, the Google Cloud Console _sucks_ cross project.

You are also wrong in saying there are no projects that could reasonably have a safe api key made unsafe by this exploit.

One example, a service that has firebase auth must publish the key (Google's docs recommend). Later, you add gen ai to that service, managing access using IAM/service accounts (the proper way). You've now elevated the Firebase Auth Key to be a Gemini key. Really undeniably poor from Google.

deaux|3 days ago

The problem is Google explicitly stating that those API keys are not secret and should be public, which indeed was true until Gemini came around.

happyopossum|3 days ago

The problem is that developer X did not properly scope the API key when he created it. Yes, separate projects would also stop this, but keys have been capable for ever and creating unrestricted keys is strongly discouraged. Pretty sure you can even set an org policy to prevent someone from doing so…

Dylan16807|3 days ago

It's not enabled by default on projects but it's enabled by default on keys.

It shouldn't be enabled by default on either one.

flomo|3 days ago

Or usecase: developer X stopped using Maps/etc N years ago, and is long gone, and then developer Y stumbles into the company's google api console.

Of course, Google is full of smart anti-fraud experts, they just handle 80% of this shit on the back-end, so they don't care about the front-end pain.