Google API keys keep working after you delete them long enough to be exploited

Summary

tl;dr When you delete a Google API key, it says it’s immediately deleted. Our testing says ~23 minutes. During that window, an attacker with a leaked key keeps access to your data and enabled APIs (including Gemini). You have no way to revoke it faster or confirm when it stops working. Google closed our report as “won’t fix”.When you delete an API key, you expect access to end immediately. Google API keys don’t work this way. Revocation propagates gradually across Google's infrastructure. Some servers reject the key within seconds, others keep accepting it for 23 minutes.An attacker holding your deleted key can keep sending requests until one reaches a server that has not caught up. If Gemini is enabled on the project, they can dump files you have uploaded and exfiltrate cached conversations.The GCP console will not show the key, and it will not tell you the key is still working. You are trusting Google's infrastructure to eventually catch up.Authentication should not be eventually consistentMany of Google Cloud's services are eventually consistent by design. In this model, updates propagate gradually across its servers rather than all at once. This tradeoff lets Google scale globally and stay fast, and for most services, the lag is invisible. But for authentication, that tradeoff is harder to justify.Credential revocation delays are exploitable. A few months ago, Eduard Agavriloae disclosed a 4-second delay that enabled deleted AWS access keys to create new credentials. Four seconds was enough to matter on AWS. Given recent attention to Google API keys used to access Gemini, we set out to measure how long Google's API key revocation window remains open.What is a revocation window?The revocation window is the time between when you delete a key and the last successful authentication. The revocation window is the time between the key’s deletion and the last accepted requestIf the window is a few microseconds, the behavior matches what users expect. If it’s longer, eve...