top | item 47162196

(no title)

klooney | 4 days ago

> Retroactive Privilege Expansion. You created a Maps key three years ago and embedded it in your website's source code, exactly as Google instructed. Last month, a developer on your team enabled the Gemini API for an internal prototype. Your public Maps key is now a Gemini credential. Anyone who scrapes it can access your uploaded files, cached content, and rack up your AI bill. Nobody told you.

Malpractice/I can't believe they're just rolling forward

discuss

crest|4 days ago

They should limit the new features to new API keys that explicitly opt-in instead of fucking over every user who trusted their previous documentation that these keys are public information.

abustamam|3 days ago

Isn't it standard practice to harden permissions on API keys? Like, if I were a bootstrapped startup maybe I'd take shortcuts and let an API key have a * permission but not for anything that could rack up thousands of dollars in bills for the customer. But at googles scale that just seems irresponsible.

charcircuit|3 days ago

Maps keys should not be made public otherwise an attacker can steal them and drain your wallet and use it for their own sites.

grey-area|3 days ago

Maps keys are always public in js on the website (but locked to use on certain domains). That’s how they work.

IanCal|3 days ago

It’s been years but I thought I recalled having to use the key but then also setting what sites it’d work on.