Comment by klooney
3 days ago
> Retroactive Privilege Expansion. You created a Maps key three years ago and embedded it in your website's source code, exactly as Google instructed. Last month, a developer on your team enabled the Gemini API for an internal prototype. Your public Maps key is now a Gemini credential. Anyone who scrapes it can access your uploaded files, cached content, and rack up your AI bill. Nobody told you.
Malpractice/I can't believe they're just rolling forward
They should limit the new features to new API keys that explicitly opt-in instead of fucking over every user who trusted their previous documentation that these keys are public information.
Isn't it standard practice to harden permissions on API keys? Like, if I were a bootstrapped startup maybe I'd take shortcuts and let an API key have a * permission but not for anything that could rack up thousands of dollars in bills for the customer. But at googles scale that just seems irresponsible.
Maps keys should not be made public otherwise an attacker can steal them and drain your wallet and use it for their own sites.
Maps keys are always public in js on the website (but locked to use on certain domains). That’s how they work.
It is not actually locked to a site is just based off the host header. Which is public information an attacker can use to make the requests.
6 replies →
It’s been years but I thought I recalled having to use the key but then also setting what sites it’d work on.
If an attacker can figure out what sites it can be used on, they can use the API.