ALL POSTS

Key Findings Nearly 3,000 Google API keys (identified by the prefix "AIza") were found embedded in client-side code, providing access to sensitive Gemini endpoints and private data. The problem occurs when users enable the Gemini API on a Google Cloud project, causing the existing API keys in that project to gain access to Gemini endpoints without any warning or notice. Creating a new API key in Google Cloud defaults to "Unrestricted," meaning it's applicable for every enable

Key Findings: Cybersecurity researchers at Miggo Security have disclosed a security vulnerability in Google Gemini that allows unauthorized access to users' private calendar data. The vulnerability, dubbed "Indirect Prompt Injection," enables threat actors to craft malicious calendar invites that can bypass Google Calendar's privacy controls. When a user asks Gemini a seemingly innocent question about their schedule, the AI chatbot is tricked into parsing the malicious prompt