Skip to main content

Google API Keys Remain Active After Deletion

1 month 2 weeks ago
Aikido Security found that deleted Google API keys can continue authenticating for a median of about 16 minutes and as long as 23 minutes, despite Google Cloud's UI claiming that once a key is deleted it can no longer make API requests. Dark Reading reports: Joe Leon, researcher at Belgian startup Aikido Security, recently analyzed the revocation window -- the time between a key's deletion and its last successful authentication -- for the cloud giant's API keys. In a blog post published today, Leon said Google Cloud Platform (GCP) customers expect API access to end immediately after the key is deleted, but this is not the case. In a series of tests, Leon found that the median revocation window was around 16 minutes, while the longest window was up to 23 minutes, "an incredibly long time" for API keys to continue authenticating successfully, he said. And these windows have serious repercussions for organizations. "An attacker holding your deleted key can keep sending requests until one reaches a server that has not caught up. If Gemini is enabled on the project, they can dump files you have uploaded and exfiltrate cached conversations," Leon said. "The GCP console will not show the key, and it will not tell you the key is still working. You are trusting Google's infrastructure to eventually catch up." [...] Leon tells Dark Reading the revocation windows for Google's API keys, as well as the unpredictable authentication success rates, complicate matters for incident response teams that are dealing with a potential breach. "This breaks the mental model IR teams have when responding to leaked credentials," he says. "It's assumed that when you click 'Delete' or 'Revoke' that the credential no longer works. Now IR teams need to remember that for GCP credentials, a window exists when that 'Deleted' credential still works for attackers." To that end, Aikido recommended that security teams and IR personnel use a 30-minute window for Google API key deletions. Additionally, organizations should monitor their API requests by credential through the "Enabled APIs and services" portion of the GCP console, and review API requests by credential. "If you see unexpected usage from that credential after deletion, someone could be actively exploiting it," Leon wrote. Aikido reported the findings to Google, but the company closed the report as "won't fix," according to the blog post.

Read more of this story at Slashdot.

BeauHD

Major Streamers Must Pay 15% of Revenues To Canadian Content, CRTC Says

1 month 2 weeks ago
Canada's broadcast regulator says major streaming services such as Netflix must contribute 15% of their Canadian revenues to Canadian and Indigenous content. "That's three times the five-per-cent initial contribution requirement the CRTC set out in 2024, which is being challenged in court by major streamers, including Apple and Amazon," reports Global News. "Contribution requirements for traditional broadcasters, which currently pay between 30 and 45 percent, will be lowered to 25 percent." From the report: "The total contributions are expected to stabilize the funding at more than $2 billion in support of Canadian and Indigenous content, such as French-language content and news," the regulator said in a press release. The CRTC made the decisions as part of its implementation of the Online Streaming Act, which the U.S. has identified as a trade irritant ahead of trade negotiations with Canada. The CRTC also set out rules on how the money must be spent for both streamers and broadcasters, including contributions toward production funds and direct spending on Canadian content. Most of the streamers' financial contributions can go toward content, though the CRTC is imposing rules on how that money must be spent for the largest streamers. For instance, streamers with Canadian revenues of more than $100 million annually must direct 30 percent of spending toward partnerships with Canadian broadcasters and independent producers. Large Canadian broadcasters will have to direct at least 15 percent of their contributions toward news. The new financial contribution rules apply to streamers and broadcasters with at least $25 million in annual Canadian broadcasting revenues. The decision covers audiovisual programming, meaning it affects traditional TV broadcasters and online services that stream television content. The regulator also said Thursday online streamers will have to take steps to ensure Canadian and Indigenous content is available and visible to audiences. "This will make it easier for people to find this content on the platforms they use, while giving broadcasters flexibility in how they meet the new expectations," the CRTC said in the release. Details of those requirements will be determined at a later time.

Read more of this story at Slashdot.

BeauHD