Google API keys weren't secrets, but then Gemini changed the rules

1216 points • by hiisthisthingon • last Wednesday at 7:54 PM • 290 comments • view on HN

Comments

micksmix • yesterday at 6:25 AM

[dead]

wangzhongwang • yesterday at 5:59 AM

[dead]

011101101 • yesterday at 7:10 AM

[flagged]

lukeiodev • yesterday at 7:59 AM

[flagged]

➕ show 1 reply

bpodgursky • yesterday at 4:05 AM

ChatGPT writing a blog post attacking Gemini security flaws. It's their world now, we're just watching how it plays out.

➕ show 2 replies

the_arun • yesterday at 4:15 AM

Private data should not be allowed to be accessed using public keys. That is the core problem. It is not about Google API keys are secret or not.

➕ show 1 reply

friendzis • yesterday at 7:49 AM

Explain It Like I'm Five.

From TFA:

> Last month, a developer on your team enabled the Gemini API for an internal prototype. > The result: thousands of API keys that were deployed as benign billing tokens are now live Gemini credentials sitting on the public internet.

Benign, deployed openly without any access restrictions whatsoever, billing tokens can be used to bill for a service under the account it is enabled for. That's the intended behavior, literally. Maps API keys are used to give your users access to Google Maps on your credit card.

What's the problem here? Yes, the defaults could have been stricter, but it's not like it costs anything to create a bunch of internal projects that do not have good-for-billing access keys floating around open internet. People moved fast, deployed LLM generated code, broke things and then blame everyone else but themselves?

➕ show 2 replies

alt Hacker News

Google API keys weren't secrets, but then Gemini changed the rules

Comments