"For more than a decade, Google's developer documentation has described these keys, identified by the prefix 'Aiza', as a mechanism used to identify a project for billing purposes. Developers generated a key and then pasted it into their client-side HTML code in full public view."
"When they later added Gemini to the same project, to, for example, make available a chatbot or other interactive feature, the same key effectively authenticated access to anything the owner had stored through the Gemini API, including datasets, documents and cached context. Because this is AI, extracting data would be as simple as prompting Gemini to reveal it."
Google's 'Aiza'-prefixed API keys were historically used only for project billing identification in public client-side code. With the introduction of the Gemini API in late 2023, these same keys began functioning as authentication credentials for embedded Gemini AI features. Developers who added Gemini to existing projects unknowingly granted the same public keys access to all Gemini-stored resources, including datasets, documents, and cached context. This dual functionality creates a security vulnerability where sensitive data becomes extractable through simple prompts to the Gemini AI, with no warning provided to developers about this authentication role change.
Read at InfoWorld
Unable to calculate read time
Collection
[
|
...
]