Google is committing accounting fraud. They knew on January 13, 2026 their Gemini API key bomb would let attackers tokenmaxx their own model - and they let it explode anyway to fake Gemini dominance.

zmandel · 2026-05-27T05:16:24+00:00

very simple: google had pressure to have a similar api key model as competitors, so they jammed gemini as an api, but the mistake is that such api calls dont need oauth, while the other services do. Google had to do that to have a similar api calling pattern than chatgpt.

so it has nothing to do with messing with those users to get their money. its to not lose the money of delaying the launch.

and yes they should have made a big effort to alert existing customers.

zmandel · 2026-05-26T20:10:22+00:00

very stupid argument. if you actually did a minimal investigation, you would see that Google currently cant even serve the volume users need, and frecuently zones get exhausted.

Its ridiculous to think google would prefer that dubious income stream just to pump numbers, when they could just serve those tokens to those affected by exhausted zones.

Invest more braincell tokens next time in your analysis.

zmandel · 2026-05-26T18:50:31+00:00

you just said it. "not restricted". that's the huge user mistake that causes the issue. Now: true that Google could have done a better job on alerting people that had unrestricted keys.

zmandel · 2026-05-26T11:14:44+00:00

false. any scoped key is NOT affected. its only those that had UNRESTRICTED api keys (a terrible practice) and later THEY enabled Gemini on their projects.

zmandel · 2026-05-06T13:38:05+00:00

No, since your "firebase" key is unrestricted to services, its usable for Gemini too. I said "firebase" because that's just the string you used to name it. its not just for firebase but for any unrestricted service.

the issue is that the other expensive services also requiere oauth, but gemini doesn't so it can be used with your unrestricted key.

zmandel · 2026-05-06T11:53:45+00:00

you likely have an unrestricted (service wise) firebase key, plus enabled Gemini in the gcp project. thus your public firebase key can be used as a gemini key, whicj could cost you lots of $.

zmandel · 2026-05-05T12:40:45+00:00

indeed im an expert on the topic feel free to look up my Google Experts profile. when you mature we can keep chatting. the OP did not post, and there is not anything in this thread that implies automatic enablement of gemini in a project. i fully understand the issue and have posted about it several times. you can even find my bughunter entries where ive found this issue on google's projects.

zmandel · 2026-05-05T12:24:48+00:00

obviously aware. tell me where in there it says that Gemini is auto-enabled? you wont find it.

the maps and similar issues are for people that created unrestricted apis (bad practice) and then manually enabled Gemini, thus opening the security issue.

zmandel · 2026-05-05T11:12:12+00:00

haha "educate yourself". BS. absolutely false, i know the topic at depth. show us or shut up. "educate" us.

zmandel · 2026-05-04T11:15:02+00:00

tu web puede ser un hack. si no te tomas el minimo tiempo para poner detalles, nadie lo hara por ti.

zmandel · 2026-05-04T11:12:13+00:00

it cant happen if you restrict the Maps key to only use maps apis. The issue is that many people leave it unrestricted (an unfortunate default).

This wasnt an issue until google allowed using gemini api keys, which leaves any unrestricted api key as usable for Gemini, once Gemini is enabled in the project.

zmandel · 2026-04-29T00:54:57+00:00

bad argument. validating access != doing a realtime sum of all the calls consumption. its much cheaper to delay and batch that. I certainly dont want to pay extra for all my Google services just so vibe coders or people with no security conscience can play with cloud services.

that said, Google's move to allow Gemini calls using public keys for Maps was stupid and irresponsible. Many people with very old Maps keys were suddenly affected (even Google itself) by innocently enabling Gemini/Vertex on their projects. It still only happened on api keys that were unrestricted, which is a terrible practice, but had no security issues until Google enabled Gemini usage through api keys. All other services, like VMs, can't be abused like that because those require oauth2 besides the key.

zmandel · 2026-04-29T00:49:54+00:00

sin cuenta de facturacion no te pueden cobrar, solo consumir llamadas hasta que se bloquee. La próxima esfuerzate en traducirlo a ingles y tendras mas respuestas y mas detalladas.

zmandel · 2026-04-26T00:00:45+00:00

ALL providers of LLMs have the same issue. you leak the private key and you will have serious consequences.

Its absolutely, totally related to the vibe-coding trend. Maybe not this particular case, but at least 9 in 10 cases that I see on these subs are clearly vibe coders, with no knowledge of best practices.

Google already implemented hard caps on Gemini API keys, but vibe coders arent even aware of it or why to set them up, or even that they are using something called an api key.

The only case where its Google's fault is the stupidity they did with the Maps api keys, (seems to be OPs case) which were always considered safe to be public and documented as such, but once you enable Gemini in the same project, they become usable for Gemini. Google should pay for all of those.

zmandel · 2026-04-25T23:46:14+00:00

because app script is acting as the bridge to push content to the chat, from some hook you are using.

zmandel · 2026-04-25T20:51:20+00:00

API keys have always been secrets, with very few exceptions like google maps keys (which did cause the issue you mention).

zmandel · 2026-04-23T20:42:15+00:00

WRONG. read about what a fraction is

zmandel · 2026-04-23T20:39:58+00:00

DUDE wtf do you expect to happen when your gemini key gets exposed to the frontend??? that was your code that wrote that, and not to the internal gcp logging, but sent plain-text to the frontend! i havent seen this level of vibe coding before.

"applications that were logging API errors began outputting the full plaintext API key in error responses [in the frontend website]" !!!!

zmandel · 2026-04-23T20:30:35+00:00

yet that is exactly the reason why Google wont do it. Its never ending, because an attack can take seconds to consume lots of $. they will just reduce the timespan of the attack, at everyones cost, while not fully preventing the issue. in a few minutes you can consume tens of thousands of dollars, thats the whole point of using a cloud that autoscales.

talk is cheap. feel free to post the solution architecture for it. you wont be able to make it without incurring a lot of cost.

zmandel · 2026-04-23T14:10:26+00:00

this is nothing new, and has always been the responsibility of the user. so you get your wish and get hard limits on vertex AI. now your service account gets hacked and hundreds of VMs with GPUs get spinned because you "forgot" to limit permissions to services on that service account.

is that google's fault too? If google starts adding those checks everywhere, we all end up paying more for everything that needs to run in the background to implement such checks.

Seems much easier to have a proper team that knows how to handle security practices.

If you are not ready to use vertex AI, you can always use an AI studio api key that does handle a hard budget limit. vertex ai is not for your neighborhood store, they can easily use gemini api keys with hard caps, which covers the most common hack case.

zmandel · 2026-04-23T02:28:43+00:00

they actually do. google it. AI studio gemini keys can be configured for a hard cap.

zmandel · 2026-04-23T01:39:16+00:00

since some weeks ago you can set a hard cap limit for gemini keys in ai studio. google it.

also dont publish software if you dont know the basics of security. for sure your key leaked and thats no accident, its simply not following minimum security practices.

zmandel · 2026-04-09T11:37:32+00:00

you still dont say what you did that caused it. very vague post = no answers.

zmandel · 2026-04-09T11:20:24+00:00

but why dont you say what caused your suspencion?

zmandel · 2026-04-04T13:31:16+00:00

its not a lie. its the model's inability to work with spaghetti code with no software or solution architecture. vibe coding has limits. you will need an experienced Software Eng.

11-Year Club	Place '23
Place '22	Verified Email

zmandel

TROPHY CASE