AnswersPublished16 sources
Google Cloud API Keys May Keep Working Up to 23 Minutes After Deletion
Security researchers found that Google Cloud API keys can still authenticate requests for 8–23 minutes after deletion (about 16 minutes median), creating a temporary window where stolen keys may continue accessing API... The delay happens because revocation propagates gradually across Google’s distributed infrastruc...
1.2M0
AI Prompt
openai.comCreate a landscape editorial hero image for this Studio Global article: What security vulnerability did Aikido Security discover in Google Cloud API key deletion, how long can deleted keys still authenticate requ. Article summary: Aikido Security reported that deleting a Google Cloud API key does not revoke it immediately: the key can still successfully authenticate requests for several minutes after deletion, creating a delayed-revocation window . Topic tags: general, documentation, general web, government, education. Reference image context from search candidates: Reference image 1: visual subject "CyberInsider covers the latest news in the cybersecurity and data privacy world. Deleted Google API keys remain valid for up to 23 minutes after revocation, potentially allowing at" source context "Google “Won’t Fix” API key staying active for 23 mins after deletion | CyberInsider" Reference
Deleting a Google Cloud API key does not necessarily stop it from working immediately. Security researchers at Aikido Security discovered that a deleted key can continue authenticating requests for several minutes after removal, creating a short but meaningful window in which leaked credentials can still be abused.
In testing, the researchers observed that deleted keys remained usable for 8 to 23 minutes, with a median of roughly 16 minutes, even though the Google Cloud console indicates the key has already been removed.
The delayed‑revocation vulnerability
The issue stems from how credential changes propagate across Google’s distributed infrastructure. When a key is deleted, the revocation is not enforced simultaneously on every server handling API authentication. Some systems reject the credential quickly, while others may still accept it until the deletion update reaches them.
Studio Global AI
Search, cite, and publish your own answer
Use this topic as a starting point for a fresh source-backed answer, then compare citations before you share it.
People also ask
What is the short answer to "Google Cloud API Keys May Keep Working Up to 23 Minutes After Deletion"?
Security researchers found that Google Cloud API keys can still authenticate requests for 8–23 minutes after deletion (about 16 minutes median), creating a temporary window where stolen keys may continue accessing API...
What are the key points to validate first?
Security researchers found that Google Cloud API keys can still authenticate requests for 8–23 minutes after deletion (about 16 minutes median), creating a temporary window where stolen keys may continue accessing API... The delay happens because revocation propagates gradually across Google’s distributed infrastructure rather than instantly.
What should I do next in practice?
Until the propagation delay is resolved, organizations should treat API key deletion as incomplete revocation and monitor usage, rotate credentials, and apply strict key restrictions.
Sources
- helpnetsecurity.comDeleted Google API keys keep working for up to 23 minutes, researchers warn - Help Net Security
- gigazine.netResearchers have confirmed that leaked Google API keys may remain usable for approximately 23 minutes after deletion.
- techradar.com'You have no way to revoke it faster or confirm when it stops working': Experts find Google API keys are still usable, even after you delete them
- cyberinsider.comGoogle “Won't Fix” API key staying active for 23 mins after deletion
- aikido.devGoogle API keys keep working after you delete them - Aikido Security
Loading comments...
Comments
0 comments