KO3MOC WORLD

Tag: cybersec

  • Google API Keys Weren’t Secrets

    Google API Keys Weren’t Secrets

    The Core Issue

    For over a decade, Google told developers that API keys (like those for Maps) were not secrets and could be safely embedded in public websites. However, with the launch of Gemini, those same keys now silently grant access to sensitive AI data and billing if the Gemini API is enabled on the project.

    What Changed?

    1. Retroactive Privilege: A key deployed publicly for a harmless service (e.g., Maps) automatically becomes a credential for the Gemini API if that service is enabled later—with no warning to the developer.
    2. Insecure Defaults: New API keys default to “Unrestricted,” working for every enabled API, including Gemini.

    The Risk

    An attacker can simply grab a key from a website’s source code and use it to:

    • Access private data stored in Gemini (uploaded files, cached content).
    • Incur huge charges by running up the victim’s Gemini API bill.
    • Exhaust quotas, shutting down legitimate services.

    Scale of the Problem

    A scan of public web data found 2,863 live Google API keys vulnerable to this issue, including keys on websites belonging to major financial institutions and even Google itself.

    Disclosure & Google’s Response

    Reported in Nov 2025, it was initially dismissed but later accepted as a bug. Google’s planned fixes include: new keys defaulting to Gemini-only, blocking leaked keys, and proactive notifications to affected owners.

    What You Should Do

    1. Check if the “Generative Language API” is enabled in your GCP projects.
    2. If it is, audit your API keys for unrestricted access or those that specifically allow Gemini.
    3. Verify those keys aren’t public (in code, websites, repos). If they are, rotate them immediately.

    The fundamental problem is that legacy, non-secret identifiers were retroactively turned into sensitive credentials, creating a massive, silent security risk.

    To see more about the issue check: https://trufflesecurity.com/blog/google-api-keys-werent-secrets-but-then-gemini-changed-the-rules

  • How CyberStrikeAI Automates Attacks on FortiGate Systems

    How CyberStrikeAI Automates Attacks on FortiGate Systems

    A recently discovered campaign targeting Fortinet FortiGate devices used an open-source AI-driven testing platform called CyberStrikeAI to automate attacks.

    Researchers from Team Cymru traced the activity to an IP address used by a suspected Russian-speaking threat actor that performed large-scale scans for vulnerable devices. CyberStrikeAI is an AI-based offensive security tool developed by a China-based programmer known as Ed1s0nZ, who may have links to organizations connected to the Chinese government.

    The activity gained attention after Amazon Threat Intelligence reported that attackers were systematically targeting FortiGate systems using generative AI services from Anthropic and DeepSeek, compromising more than 600 devices in 55 countries.

    CyberStrikeAI, written in Go, integrates over 100 security tools for vulnerability discovery, attack analysis, and reporting. Researchers observed 21 IP addresses running the platform between January and February 2026, mainly hosted in China, Singapore, and Hong Kong.

    The developer behind the tool has also published several other projects focused on exploitation and bypassing AI safeguards. Investigators say their GitHub activity suggests interactions with groups linked to Chinese state-backed cyber operations, including Knownsec 404, a security firm previously exposed in a major internal data leak.

  • Meta Faces Lawsuit Over WhatsApp Encryption Claims

    Meta Faces Lawsuit Over WhatsApp Encryption Claims

    A group of international users led by Israeli NSO group has initiated a legal challenge against Meta, claiming that WhatsApp’s promised end-to-end encryption is non-existent. The lawsuit relies on whistleblower accounts suggesting that employees can bypass security measures to read private communications in real-time via internal tools. In response, Meta has dismissed these allegations as fictitious and absurd, maintaining that their security protocols remain robust and impenetrable.

    Tech side of the story goes that a Meta’s employee need only send a ‘task’ (i.e., request via Meta’s internal system) to a Meta engineer with an explanation that they need access to WhatsApp messages for their job, the lawsuit claims. “The Meta engineering team will then grant access—often without any scrutiny at all—and the worker’s workstation will then have a new window or widget available that can pull up any WhatsApp user’s messages based on the user’s User ID number, which is unique to a user but identical across all Meta products.

    The lawsuit, however, accuses Meta of trying “to prevent the truth from coming out by imposing onerous nondisclosure agreements on its workers, essentially threatening the full force of one of the world’s richest companies if any of these individuals dared reveal what goes on behind closed doors at the company. These efforts have now failed, but they worked for many, many years by obscuring the truth.”’