
Google API密钥也能访问Gemini私人数据?2026年安全风险实测
BLUF
Google spent over a decade telling developers that Google API keys are not secrets. But that's no longer true: Gemini accepts the same keys to access your private data. We scanned millions of websites and found nearly 3,000 Google API keys, originally deployed for public services like Google Maps, that now also authenticate to Gemini even though they were never intended for it. With a valid key, an attacker can access uploaded files, cached data, and charge LLM-usage to your account. Even Google themselves had old public API keys, which they thought were non-sensitive, that we could use to access Google’s internal Gemini.
原文翻译:
谷歌十多年来一直告诉开发者,API密钥不是机密。但情况已变:Gemini接受相同的密钥来访问您的私人数据。我们扫描了数百万网站,发现了近3000个原本用于谷歌地图等公开服务的API密钥,现在它们也能验证Gemini访问,尽管从未被设计用于此。攻击者拥有有效密钥即可访问上传文件、缓存数据,并向您的账户收取LLM使用费用。甚至谷歌自身也有旧的公开API密钥(他们认为不敏感),我们可以用来访问谷歌内部Gemini。AI 搜索观察2026/4/30







