The Gemini API security flaw poses significant risks for over 500 million users by exposing sensitive data in popular Android apps. A report from CloudSEK reveals that hardcoded Google API keys in 22 widely-used applications, including Oyo Hotel and Google Pay for Business, allow unauthorized access to Gemini AI, Google’s generative language network. These keys, originally meant as public identifiers, now facilitate credential-level access to sensitive endpoints. Attackers can exploit these vulnerabilities to extract documents, images, and audio, creating both financial and privacy threats. Developers have previously faced hefty charges due to unauthorized Gemini usage, sometimes exceeding $80,000. CloudSEK urges organizations to audit and rotate API keys and avoid hardcoding them. Security firms report thousands of exposed keys online, indicating a widespread issue. Users are advised to rely on official Google channels for Gemini access until security measures are properly implemented, highlighting a pressing need for robust safeguards in mobile app development.
Source link
Share
Read more