The API key that Google had announced as 'OK to publish' is also the Gemini authentication key, so there are a lot of websites that are leaking personal information
Google has stated that API keys for services like Firebase and Google Maps are 'safe to share,' but Truffle Security has discovered that the same keys can be used to access Gemini, the administrator's account.
Google API Keys Weren't Secrets. But then Gemini Changed the Rules. ◆ Truffle Security Co.
Firebase documentation states that 'API keys for Firebase services are not private' and that they can be safely embedded in your code.
In fact, until now, even if a website administrator made the above API key public, they would not be harmed. However, Truffle Security points out that 'the emergence of Gemini has undermined this assumption.'
According to Truffle Security, Google's publicly available API keys can be used to access the Gemini API running within the same project. This means that if a website administrator enables the Gemini API within a project, an outsider could access the Gemini API using a previously publicly available API key and steal various files used by Gemini. In addition to stealing data, attackers could also use Gemini to impose large API usage fees on their targets.
Truffle Security conducted an investigation into
Truffle Security reported the issue to Google on November 21, 2025, but Google determined it was 'intentional' and refused to fix it on November 25. So, on December 1, they presented an example showing that 'Google data could also be accessed,' and on December 2, the issue was reclassified as a 'bug' and work began.
However, the problem was not resolved, and the 90-day information disclosure suspension period expired on February 19, 2026, which is why we have now reported the problem.
Truffle Security is urging users of Google APIs to check their Gemini API permissions.
Related Posts:
