Unrestricted Firebase browser key triggers €54,000 Gemini bill in 13 hours

A browser-exposed Firebase Web API key with no restrictions was enough to reach Gemini APIs and drive roughly €54,000 in charges in 13 hours, according to a report surfaced on Hacker News and discussed in the Google AI developer forum. The incident matters because it compresses a familiar cloud-security failure into the current AI tooling stack: a credential intended to identify a web app was left broad enough to be used from the client side, and once that key could invoke a paid model endpoint, billing moved faster than ordinary manual review or response workflows.

What changed here is not a new class of attack so much as a new blast radius. AI features are increasingly wired directly into browser apps, starter kits, and low-friction developer tools. That makes key governance part of the product path, not an afterthought. In this case, the unrestricted Firebase Web API key exposed in a browser appears to have been used for Gemini requests from client-side code, with no effective origin or referrer restrictions and no API-key scoping to narrow where or how it could be used. The result was not just unauthorized access; it was paid usage at cloud speed.

The technical chain is straightforward once the misconfiguration is named precisely. Firebase Web API keys are not secret in the same way as a server-side private key, but they still require guardrails. When those guardrails are absent, a browser-visible key can be reused outside the intended application context. If that key is accepted by Gemini endpoints, then client-side requests can generate model traffic as if they were legitimate app calls. Without origin/referrer checks, API restrictions, or complementary app attestation controls, the platform has little basis to distinguish a real user session from an automated or repurposed client.

That is why the root cause matters as much as the spend. The issue was not merely that a key was visible in front-end code; it was that the key remained unrestricted. The absence of origin/referrer restrictions and API restrictions created a direct path from browser exposure to paid Gemini usage. In practical terms, this is the failure mode many teams assume their “public” web keys cannot trigger. The incident shows that assumption is unsafe once the key can touch metered AI services.

The billing impact is the part that lands hardest for operators. About €54,000 accumulated in 13 hours. That kind of cost curve is not a long-tail abuse scenario; it is an operational emergency. Even if a team detects anomalous usage quickly, AI billing systems can allow a large amount of spend to accrue before someone closes the door. The incident therefore exposes a structural mismatch between the speed of AI API consumption and the slower cadence of credential review, support escalation, and finance-side controls.

For developer-tool vendors and AI product teams, the implication is broader than a single Firebase setup. The modern stack increasingly encourages client-side experimentation: quick demos, in-browser agents, low-code builders, and front-end SDKs that make model access feel as simple as adding a script tag. That convenience shifts governance burden onto key restrictions, app verification, usage quotas, and spend monitoring. If those controls are optional, too permissive, or buried in documentation, the default outcome is fragility.

The useful lesson is not to abandon client-side AI features, but to treat their guardrails as first-class product requirements. Teams that ship model access into browser environments need to assume the credential will be observed, copied, and reused. They also need to assume that billing, not just authorization, is part of the security boundary. A key that can create cost is a key that needs policy.

Concrete mitigations are available and should be implemented together rather than one at a time. First, restrict keys aggressively: add origin or referrer restrictions for browser use cases, and apply API restrictions so the key can call only the intended service. Second, enable App Check or an equivalent attestation layer where supported, so requests carry stronger proof that they originate from the genuine app. Third, move sensitive Gemini calls to server-side code whenever possible, keeping paid model access behind controlled backend credentials instead of browser-exposed ones. Fourth, set proactive billing alerts and hard quotas so anomalous usage is surfaced before costs compound. Fifth, rotate exposed keys immediately after discovery and audit where credentials appear across source control, build pipelines, environment files, and client bundles.

There is also a workflow lesson for engineering organizations. Credential checks should be part of CI/CD and release review, not just incident response. Teams that build AI features need automated scans for exposed API keys, policy checks that fail builds when unrestricted keys are detected, and observability that ties usage spikes to the app, key, or deployment that generated them. Finance and platform teams should be in the same control loop, because a cost event can become a security event before it becomes visible in code review.

Expect the platforms around AI development to harden as these cases accumulate. The likely direction is tighter defaults for client-side credentials, stronger enforcement of quotas, and more opinionated tooling around app verification and spend controls. For builders, that means the governance layer is becoming part of the product surface. The teams that treat API-key management as infrastructure hygiene will move faster than the teams that discover—after a bill arrives—that a browser can still be the fastest way to turn a missing restriction into a very expensive request.