Have you added Google API keys to enable access to public services like Maps or YouTube for your website or applications? If you have, and also have the Generative Language API enabled in a Google Cloud project, be aware that those keys may now be providing public access to sensitive internal data and billable cloud resources.

What’s going on

API keys created for services such as Maps, Firebase, or YouTube were traditionally safe to embed in public-facing apps because they were restricted by HTTP referrers or app signatures. However, with the introduction of the Generative Language (Gemini) API, those same keys can now be used to access Gemini endpoints if the API is enabled in the project.

This means an attacker who discovers a public key could potentially:

• Query Gemini models using your quota (you pay the bill)
• Access uploaded files or cached LLM responses tied to your project

Risks to be aware Of

• Unexpected billing – malicious or automated use of Gemini APIs can rapidly consume quota
• Data exposure – uploaded files and cached responses may be accessible
• Silent abuse – referrer restrictions do not protect Gemini API usage

Recommended Actions

1. Audit enabled APIs – review all Google Cloud projects for the Generative Language API
2. Lock down API keys
   • Remove Gemini access from keys used in public contexts
   • Create separate keys for Gemini with tight restrictions
3. Prefer OAuth / service accounts – for server-side or sensitive workloads, avoid API keys entirely
4. Monitor usage & billing – set budget alerts and review Gemini usage logs

If your project uses Google API keys in public apps and has the Generative Language API enabled, assume those keys are more powerful than you intended. Review and restrict them now to avoid data leakage or surprise charges.

We are here to help

Please give our IT security consultants a call on 01460 271055 if you need help with this issue, or contact us using the form below.