€54k spike in 13h from unrestricted Firebase browser key accessing Gemini APIs
TL;DR Highlight
This is a real-world case where an unlimited API key activated for Firebase AI Logic (Gemini API) was exploited in automated attacks, resulting in €54,000 in charges within 13 hours, and Google refused a refund. It serves as a warning about the dangers of exposing API keys on the client side.
Who Should Read
Frontend/full-stack developers using Firebase or Google Cloud to develop or launch features based on the Gemini API. Specifically, small teams or individual developers who include API keys in client code or fail to properly configure budget management.
Core Mechanics
- After activating Firebase AI Logic to add AI features based on the Gemini API (generating web snippets from text prompts) to a project originally created a year ago for Firebase Authentication, automated traffic surged immediately upon activation.
- The browser API key for the Firebase project was originally created with 'No API restrictions,' and with the addition of the Gemini API, Gemini requests began to flood in without limit using that key. These were automated bot requests unrelated to actual user traffic.
- A budget alert of €80 and a cost anomaly notification were set up, but both were delayed by several hours. By the time a response was possible, approximately €28,000 had already been charged, and the delayed cost reporting resulted in a final amount exceeding €54,000.
- The Google Cloud support team rejected the request for a charge adjustment, stating that the usage 'occurred from that project' and was therefore considered valid.
- Gemini team lead Logan Kilpatrick commented directly, explaining the current countermeasures: Tier 1 users have a default monthly spending limit of $250, and project spending caps can also be set. However, both features have a maximum delay of 10 minutes.
- Google stated that it is moving towards preventing the use of Gemini API with unrestricted API keys. It has also changed the default for new users to generate more secure Auth keys.
- Prepaid billing is also being introduced, starting with new users in the US and expanding globally, allowing developers to pre-determine and control their spending.
- Google had maintained a principle for over 10 years that 'Google API keys are not secrets (they can be public),' but this principle was broken after the release of the Gemini API. However, many developers are unaware of this change and continue to use keys as before.
Evidence
- "The structural issues with GCP budget notifications were heavily criticized in the comments. Because billing events pass through a queue/log for aggregation, the notifications themselves can be delayed by hours. Even setting a hard limit operates based on the last known aggregated value, leaving it helpless against sudden spikes. Many agreed with the criticism that 'this structure is designed to protect the company, not the customer.'\n\nAnother developer who experienced similar damage appeared in the comments. After incurring $26,000 in damages, they requested a refund from the Google Cloud support team, which was initially denied but is currently under review, with advice to 'escalate as much as possible.' Another comment shared a case where a Gemini API key quickly generated during a Google public live training session was leaked, resulting in approximately $6,909 in charges.\n\nIt was pointed out that many Gemini API keys are already hardcoded on GitHub. A search for 'gemini \"AIza\"' on GitHub yields numerous results, and developers are analyzing that they are treating Gemini keys in the same way as existing Google Maps/Firebase keys, which have long been considered safe to make public.\n\nInformation was shared about the 'emergency brake' feature in GCP that immediately stops billing. Separating the billing account from the project stops API usage immediately, but there is a risk of deleting associated resources, making it unsuitable for production apps.\n\nA developer using Backblaze B2 mentioned it as an example of a 'working spending limit.' B2 shares their experience that API requests are immediately blocked when a $0 limit is set, exceeding the free tier, emphasizing the need for a fundamental change in cloud service billing design.\n\nQuestions were raised about why scammers target AI API keys. In response to the question of what clear financial gain there is, like mining Bitcoin with EC2 credentials, speculation arose that it may be to use or resell LLM services under someone else's account."
How to Apply
- If you plan to integrate the Gemini API with your Firebase project, you must simultaneously set both 'HTTP referrer restrictions' and 'API restrictions (allow only generativelanguage.googleapis.com)' in the API key settings. Without these two restrictions, the key can be used to call all Google services if exposed.
- Design your architecture so that Gemini API calls are made only on the server side (not on the client side - browser, app). If client-side calls are unavoidable, apply Firebase App Check to restrict API calls to authenticated apps only.
- Set a project spending cap (project spend caps) in Google AI Studio or the GCP Console, and build a pipeline using Pub/Sub + Cloud Function to automatically disconnect the billing account when the limit is exceeded. Simple email notifications are not a practical defense due to delays of several hours.
- If you add the Gemini API to a project originally created for other purposes, such as Firebase Authentication, the existing API keys in that project will all have Gemini access. You must thoroughly review the existing key list and remove unnecessary API permissions.
Code Example
# GCP billing account disconnection method via programming (based on official documentation)
# Caution: Do not use for production apps. Associated resources may be deleted.
# Disconnect billing account using gcloud CLI
gcloud billing projects unlink PROJECT_ID
# Or use Pub/Sub + Cloud Function combination to automatically disconnect upon budget exceedance
# 1. GCP Console > Billing > Budgets & alerts > Create budget
# 2. Set Alert threshold (e.g., 80%)
# 3. Select 'Connect a Pub/Sub topic'
# 4. Deploy the following Cloud Function
import base64
import json
from googleapiclient import discovery
def stop_billing(data, context):
pubsub_data = base64.b64decode(data['data']).decode('utf-8')
pubsub_json = json.loads(pubsub_data)
cost_amount = pubsub_json['costAmount']
budget_amount = pubsub_json['budgetAmount']
project_name = pubsub_json['budgetDisplayName'] # Use budget name as project name
if cost_amount >= budget_amount:
billing = discovery.build('cloudbilling', 'v1')
# Disconnect billing account
billing.projects().updateBillingInfo(
name=f'projects/{PROJECT_ID}',
body={'billingAccountName': ''}
).execute()
print(f'Billing disabled for project {PROJECT_ID}')
# API key restriction settings (Google Cloud Console > APIs & Services > Credentials)
# - Application restrictions: HTTP referrers (web sites) -> Allow only your domain
# - API restrictions: Restrict key -> Select only generativelanguage.googleapis.comTerminology
Related Papers
Claude Code sends 33k tokens before reading the prompt; OpenCode sends 7k
동일한 모델과 작업 환경에서 Claude Code와 OpenCode의 실제 토큰 사용량을 API 레벨에서 측정한 결과, Claude Code가 시스템 프롬프트 오버헤드만으로 OpenCode 대비 4.7배 더 많은 토큰을 소비한다는 것을 확인했다.
Mesh LLM: distributed AI computing on iroh
사무실, 집, 클라우드에 흩어진 GPU들을 하나의 OpenAI 호환 API로 묶어주는 분산 LLM 실행 시스템으로, 비싼 API 비용 없이 큰 모델을 직접 운영할 수 있다.
Show HN: Frugon – Find which LLM calls a cheaper model could handle (local, MIT)
내 LLM API 비용이 어디서 새는지 로컬에서 분석해주는 오픈소스 CLI 도구로, 비싼 모델 대신 저렴한 모델로 전환 가능한 호출을 골라낸다.
Jamesob's guide to running SOTA LLMs locally
2천 달러짜리 RTX 3090 한 장부터 4만 달러짜리 RTX PRO 6000 4장 셋업까지, 로컬에서 최신 LLM을 직접 돌리는 방법을 하드웨어 선택·구성·실행 설정까지 통째로 정리한 실전 가이드다.
Faster embeddings: how we rebuilt the ONNX path in Manticore
Manticore Search가 기존 SentenceTransformers/Candle 백엔드를 ONNX Runtime으로 교체해 텍스트 임베딩 생성 속도를 평균 14배 향상시켰다. 별도 모델 서비스 없이 DB 내부에서 직접 임베딩을 처리하는 구조에서 INSERT 속도가 곧 임베딩 속도이기 때문에 이 개선은 실질적인 ingest 처리량 향상으로 직결된다.
Asymmetric Quantization: Near-Lossless Retrieval with 97% Storage Reduction
멀티벡터 검색 모델의 문서 벡터를 1비트 이진값으로 압축하고 쿼리 벡터만 int8로 유지하는 비대칭 양자화 기법으로, 스토리지를 97% 줄이면서 검색 품질 손실을 0.61점(NDCG@10 기준)에 그치게 만든 실제 프로덕션 적용 사례다.
Related Resources
- https://discuss.ai.google.dev/t/unexpected-54k-billing-spike-in-13-hours-firebase-browser-key-without-api-restrictions-used-for-gemini-requests/140262
- https://trufflesecurity.com/blog/google-api-keys-werent-secrets-but-then-gemini-changed-the-rules
- https://ai.google.dev/gemini-api/docs/billing#tier-spend-caps
- https://ai.google.dev/gemini-api/docs/billing#project-spend-caps
- https://cloud.google.com/billing/docs/how-to/budgets-programmatic-notifications
- https://news.ycombinator.com/item?id=47156925