€54k spike in 13h from unrestricted Firebase browser key accessing Gemini APIs

gemini google

2026-04-16 | Source: HN | Original article

A developer on the Google AI Developers Forum reported that a newly‑enabled Firebase AI Logic feature generated more than €54 000 in Gemini API charges within just 13 hours. The bill exploded after an existing Firebase project’s browser‑side API key – created years earlier as a public identifier for authentication – automatically inherited full Gemini permissions when the Gemini API was turned on. Because the key was left “unrestricted” – the default setting for Firebase keys – anyone who could read the JavaScript bundle could invoke Gemini models at scale, and the platform’s usage‑based pricing turned the oversight into a six‑figure hit. The incident highlights a silent privilege escalation built into Google Cloud’s API model. Unrestricted keys are project‑wide; when a new API is enabled, all existing keys instantly gain access without any warning or requirement to re‑configure restrictions. Google’s own documentation still advises developers to lock down keys before production, yet the default remains open, and the recent rollout of Gemini added a high‑value surface that many teams had never anticipated. Beyond the immediate financial loss, the flaw exposes user prompts and generated content to any party that can capture the key, raising data‑privacy concerns for enterprises that embed Gemini in web or mobile apps. Google has not yet issued a formal fix, but the community is already calling for tighter defaults, automated alerts when a key gains new scopes, and clearer migration guidance. Watch for an official response from the Cloud Identity and Access Management team, possible updates to the Firebase console that enforce key restriction on creation, and any SDK changes that hide keys from client‑side code. In the meantime, developers should audit all public API keys, apply domain‑ or IP‑based restrictions, and enable budget alerts to prevent similar billing surprises as Gemini’s capabilities continue to expand across Google’s AI portfolio.

Sources

Back to AIPULSEN