Deleted Google API Keys Still Active for 23 Minutes

The Deletion Delay: A Security Risk

A security researcher found that Google API keys remain usable for nearly 24 minutes after being deleted. This contradicts Google's claim of immediate deletion. The discovery was made by Joe Leo, who tested the duration API keys stay active after removal.

Google API keys aren't completely inactive after users delete them, giving attackers a small window to continue abusing them. The delay between deletion and deactivation can be exploited by malicious actors. This issue highlights a potential security risk for users who rely on Google's cloud services.

The 23-minute delay is significant because it allows attackers to continue using compromised API keys. During this time, malicious activities can be carried out without restriction. The researcher demonstrated that the keys remain valid even after being deleted from the Google Cloud Console.

Can Google Do Better?

Google's current system doesn't immediately revoke API keys upon deletion. Instead, it takes around 23 minutes for the keys to become inactive. This lag raises questions about the effectiveness of Google's security measures.

The consequences of this delay can be severe, as attackers can exploit the window to access sensitive data or disrupt services. Google may need to revisit its API key management to minimize the risk.

Frequently Asked Questions

Q: How long do Google API keys remain active after deletion? A: Google API keys remain active for approximately 23 minutes after being deleted. This delay can be exploited by attackers.

Q: What is the potential impact of this delay? A: The delay can allow malicious actors to continue using compromised API keys, potentially leading to unauthorized access or disruptions.

Q: Will Google address this issue? A: The article does not specify whether Google plans to address the issue, but it highlights the need for improved API key management.