<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Google-Cloud on HackingPassion.com : root@HackingPassion.com-[~]</title><link>https://hackingpassion.com/tags/google-cloud/</link><description>Recent content in Google-Cloud on HackingPassion.com : root@HackingPassion.com-[~]</description><generator>Hugo</generator><language>en</language><lastBuildDate>Tue, 23 Jun 2026 12:12:16 +0200</lastBuildDate><atom:link href="https://hackingpassion.com/tags/google-cloud/index.xml" rel="self" type="application/rss+xml"/><item><title>Google Told the Researcher Nice Catch Then Refused to Pay and Never Fixed It</title><link>https://hackingpassion.com/configconfusion-google-no-bounty/</link><pubDate>Tue, 23 Jun 2026 12:12:16 +0200</pubDate><guid>https://hackingpassion.com/configconfusion-google-no-bounty/</guid><description>&lt;p>Google told a security researcher his bug was a nice catch, lined up his payout, then eleven days later called it harmless and refused to pay a cent. The flaw he reported lets anyone with basic Kubernetes access take over a complete Google Cloud organization in about five seconds, with three lines of text and no special permissions at all. Months on, it still is not fixed. He named it &lt;strong>ConfigConfusion&lt;/strong>.&lt;/p></description></item><item><title>Google API Keys Keep Working for 23 Minutes After You Delete Them</title><link>https://hackingpassion.com/google-api-key-23-minutes/</link><pubDate>Sat, 23 May 2026 15:04:37 +0200</pubDate><guid>https://hackingpassion.com/google-api-key-23-minutes/</guid><description>&lt;p>Google tells you the key is gone. It keeps working for &lt;strong>23 more minutes&lt;/strong>. When you delete a Google API key, a dialog appears that says the following: &lt;em>&amp;ldquo;Once deleted, it can no longer be used to make API requests.&amp;rdquo;&lt;/em> That is the message. It is printed there by Google, presented as fact at the exact moment you think the risk is gone. It is not true.&lt;/p>
&lt;p>Security researcher &lt;strong>Joe Leon&lt;/strong> at &lt;strong>Aikido Security&lt;/strong> spent two days testing what actually happens after a key is deleted. He created keys, deleted them, and kept firing authenticated requests at Google&amp;rsquo;s servers at three to five per second until no valid response came back. He ran ten separate trials. The shortest window before a deleted key fully stopped working was nearly &lt;strong>eight minutes&lt;/strong>. The median was &lt;strong>sixteen minutes&lt;/strong>. The longest was just under &lt;strong>twenty-three minutes&lt;/strong>. During all of that time, the key was authenticating successfully on Google&amp;rsquo;s infrastructure. A deleted key. Still working.&lt;/p></description></item></channel></rss>