darkreading.com via Reddit

Google API Keys Stay Active After Deletion

google cybersecurity api-security google security-vulnerability credential-management

Key insights

  • Google API keys authenticate successfully even after users delete them, making revocation functionally meaningless at the backend.
  • The flaw directly undermines post-breach incident response, where credential deletion is a standard containment step.
  • Google has issued no patch, timeline, or public acknowledgment as of the researcher's disclosure.

Why this matters

Any security model that treats key deletion as access termination is now unreliable on Google infrastructure, which means audit logs, SIEM alerts, and breach containment runbooks built around that assumption are producing false confidence. AI application developers who embed Google API keys in automated pipelines have no guaranteed revocation mechanism, which is especially critical as agentic systems proliferate with long-lived credentials baked into them. Until Google patches the backend, every enterprise that has rotated a Google API key after a suspected compromise must treat that old key as still live and reassess exposure accordingly.

Summary

Google API keys continue to authenticate requests even after users explicitly delete them, a security researcher has disclosed, exposing a fundamental gap between what the revocation UI promises and what the backend enforces. The finding is most dangerous in incident response workflows. When a breach occurs, the standard playbook is to rotate or delete compromised credentials immediately. If deleted keys remain valid, that playbook fails silently: developers and security teams believe they've cut off access, while the attacker's session continues uninterrupted. Essentially: Google has a credential lifecycle bug where deletion is cosmetic, not functional. - Deleted API keys still pass authentication checks against Google services, meaning revocation provides no actual access termination. - Enterprises relying on key deletion as a post-breach containment step are exposed until Google deploys a backend fix. - Google has not issued a public statement, patch, or timeline as of the disclosure date. This story lands at a moment when API credential sprawl is already a top attack surface across cloud environments, and it puts Google's IAM reliability under scrutiny at scale.

Potential risks and opportunities

Risks

  • Enterprises that deleted Google API keys during breach response in the past 12 months may still have live attacker sessions they believe were terminated, requiring retroactive forensic review.
  • Google Cloud customers in regulated industries (finance, healthcare) face potential compliance violations if auditors determine that their documented revocation controls were non-functional during that period.
  • Third-party SaaS vendors that rotate customer-delegated Google API keys as a standard offboarding step are now transmitting false security guarantees to those customers, creating liability exposure if a breach follows.

Opportunities

  • Secrets management platforms (HashiCorp Vault, Doppler, Infisical) can differentiate by adding active liveness-verification checks that confirm a deleted credential is actually inactive, not just removed from the UI.
  • Cloud security posture management vendors (Wiz, Orca Security, Lacework) have a concrete new detection category to ship: flagging API keys that remain active post-deletion across major providers.
  • Penetration testing and red team firms gain a high-value finding category to add to Google Cloud engagement scopes, increasing billable scope and urgency for clients running GCP-heavy stacks.

What we don't know yet

  • Which specific Google APIs and services are affected, and whether newer credential types like service account keys or OAuth tokens share the same backend flaw.
  • How long deleted keys remain valid after deletion, whether indefinitely or subject to an undisclosed TTL or cache expiry window.
  • Whether Google's internal security team had prior knowledge of this behavior and classified it as intended design rather than a defect before the public disclosure.

Originally reported by darkreading.com

Read the original article →

Original headline: Google API Keys Remain Fully Active and Usable After Explicit Deletion — Security Researcher Discloses Design Flaw