Overview
- CloudSEK reports that enabling the Gemini API turns older 'AIza' client keys into working Gemini credentials without notice.
- Its BeVigil scan found 32 live keys hardcoded in 22 popular Android apps with more than 500 million installs, including Google Pay for Business, Oyo Hotels, Taobao, Elsa Speak, The Hindu, and others.
- Using one exposed key, researchers pulled user-uploaded audio from an English-learning app via the Gemini Files API.
- Stolen keys can trigger large bills for developers, with reports citing $15,400 in hours and losses reaching $128,000.
- Researchers urge audits, key rotation, and strict service scoping, and reports say Google has not issued a detailed response.