Glasstrail scans websites for exposed Google API keys. That has become much more important following recent research from Truffle Security.
For years, some Google API keys were commonly treated as safe to expose in client-side code for services like Maps or Firebase. But Truffle Security showed that when the Generative Language API is enabled on the same Google Cloud project, those same keys can also grant access to Gemini endpoints. In other words, a key that once looked low-risk can become a real security issue.
How the risks have changed
This changes the risk profile for exposed Google API keys found in public websites and JavaScript files. An attacker who discovers one may be able to do more than consume a basic frontend service. Depending on how the project is configured, they could access Gemini-related functionality, consume quota, expose sensitive data, or generate unexpected cost.
That is a good example of how the external attack surface keeps changing. A website can contain an API key that was deployed years ago for a legitimate reason, but a later change in the cloud project can quietly make that same key far more valuable to an attacker.
Continuous visibility matters
Security teams cannot rely on assumptions that were true when an application was first built. They need to know what is exposed today, across production sites, forgotten microsites, staging environments, and third-party hosted pages.
This is where external attack surface management helps. Glasstrail helps organisations identify exposed Google API keys across their internet-facing assets so teams can investigate them quickly, understand where they are publicly visible, and decide whether they should be restricted, rotated, or removed.
What to do next
If your organisation uses Google services in websites or web applications, now is a good time to review where API keys are exposed, what services they can access, and whether old assumptions about their safety still hold.
The lesson here is simple: even a small configuration detail on a public website can turn into a bigger security issue when cloud services evolve. Continuous visibility helps you catch those changes before an attacker does.
If you would like to learn more about how Glasstrail can help you identify exposed API keys and other internet-facing risks, get in touch or start a free trial.
