€54k in 13 Hours: The Cost of an Unrestricted Firebase Key
A single unrestricted Firebase browser key led to a €54,000 billing spike in 13 hours as attackers abused it to call Gemini APIs. This article explains how it happened, who is at risk, and what concrete steps developers must take immediately to prevent similar incidents.
A developer woke up to a €54,000 billing spike in 13 hours — their Firebase browser key, left unrestricted, had been hijacked to call Gemini APIs. This is the nightmare scenario for every team building on AI APIs: one misconfiguration, one exposed key, and you're on the hook for a month's (or year's) budget.
- A developer reported a €54,000 billing spike in 13 hours on Google's AI forum, caused by an unrestricted Firebase browser key being used to access Gemini APIs.
- The key was a browser-side Firebase API key without IP or referrer restrictions, making it trivial for attackers to extract and abuse.
- This incident highlights a critical security gap: Google's default Firebase and Gemini API configurations are too permissive, and developers lack automatic safeguards against runaway billing.
How Did a Single Firebase Key Trigger a €54,000 Bill in 13 Hours?
According to a developer's post on Google's AI forum (dated April 16, 2026), their Firebase project's billing spiked by €54,000 in just 13 hours. The culprit: a Firebase browser API key that had no restrictions — no IP whitelist, no HTTP referrer limits, no API method restrictions. Attackers extracted the key from the client-side code and used it to call Gemini APIs at scale, generating massive token usage and associated costs. The developer reported that the key was intended for a low-traffic prototype, but the lack of restrictions turned it into an open door for abuse.
This is not a novel attack vector. Firebase documentation explicitly warns that browser keys are public by nature — they can be seen by anyone inspecting network traffic or reading client-side code. However, the default configuration for new Firebase projects does not enforce restrictions, leaving developers vulnerable if they do not manually lock down their keys.
Who Is Most at Risk From Unrestricted Firebase API Keys?
Every developer or organization using Firebase with Gemini APIs — or any Google Cloud API — without explicit key restrictions is at risk. This includes: startups running MVPs, enterprise teams with multiple Firebase projects, and any developer who uses browser-side Firebase SDKs without implementing security rules. According to Google's Firebase documentation, browser keys should always be restricted by HTTP referrer or allowed IP addresses. However, the default setup for new projects does not enforce this, leaving a security gap that attackers can exploit.
The risk is amplified by the nature of Gemini APIs: they are powerful, token-expensive, and billed per request. An attacker can quickly rack up thousands of euros in charges by sending high-volume requests. The incident shows that even a single misconfigured key can lead to catastrophic billing — the developer's €54,000 spike is equivalent to the annual budget of many small teams.
| Security Configuration | Risk Level | Mitigation |
|---|---|---|
| No restrictions (default) | Critical | Add IP whitelist or HTTP referrer restrictions immediately |
| IP whitelist only | Medium | Combine with API key rotation and usage quotas |
| HTTP referrer + API key rotation | Low | Regularly audit and monitor for unusual activity |
| Full IAM + service account | Very Low | Use for server-side applications only |
| Verdict | No restrictions is unacceptable; use at minimum HTTP referrer + budget alerts |
What Operational Tradeoffs Do Developers Face When Locking Down Firebase Keys?
Securing Firebase keys is not free. Developers must balance security with convenience. For example, IP whitelisting works well for server-side applications but fails for mobile or browser apps where IPs vary. HTTP referrer restrictions can block legitimate requests from development environments or staging servers. Additionally, implementing API key rotation adds operational overhead — teams must update keys in multiple places without breaking existing functionality.
However, the cost of inaction is far higher. The €54,000 spike is a stark example. Developers should consider the following tradeoffs: use budget alerts and usage quotas in Google Cloud Console to cap spending; implement API key restrictions even for prototypes; and consider using Firebase App Check to verify that requests come from your app. According to Google's documentation, App Check can help prevent abuse by requiring attestation tokens, but it adds complexity to the authentication flow.
What Should Developers Do Right Now to Prevent a Similar Incident?
Immediate actions: 1) Review all Firebase and Google Cloud API keys — check for any without IP or HTTP referrer restrictions. 2) Set up budget alerts and usage quotas in Google Cloud Billing to automatically halt spending if a threshold is exceeded. 3) Enable Firebase App Check for all client-facing apps. 4) Rotate any keys that have been exposed or are unrestricted. 5) Monitor billing and API usage daily, especially after deploying new features.
Long-term, developers should adopt a security-first mindset: never trust client-side keys; use server-side proxies or service accounts for sensitive API calls; and implement automated security audits. According to the developer who experienced the spike, they had not set up budget alerts — a simple oversight that cost them thousands.
My thesis: This incident is not an anomaly — it is a predictable consequence of Google's permissive defaults and the industry's lax attitude toward API key security. Short-term, affected developers will tighten their configurations, but the real fix must come from Google: default-enable restrictions for new projects, enforce budget alerts by default, and provide clear warnings when a key is left unrestricted. Long-term, the market will shift toward server-side proxies and AI-specific security tools, but that will take years. The losers here are developers who trust defaults — they will continue to be hit with surprise bills. The winners are security consultants and AI API management platforms that can help teams avoid these pitfalls. My prediction: Within 12 months, Google will introduce mandatory budget alerts for all new Firebase projects using Gemini APIs, following similar changes by AWS and Azure.
Predictions
- Google will, within 12 months, require budget alerts and usage quotas for all new Firebase projects using Gemini APIs, mimicking AWS's approach to preventing runaway costs.
- At least 3 major AI API management startups (e.g., Helicone, Porcupine, or similar) will see a 50% increase in sign-ups within 6 months as developers seek automated cost and security controls.
- The incident will lead to a formal security advisory from Google Cloud within 3 months, specifically addressing Firebase browser key risks for Gemini API users.
Article Summary
- The €54,000 spike is a textbook example of how default-permissive configurations can lead to catastrophic billing in AI API usage.
- Developers must treat browser-side keys as public and restrict them immediately — waiting is not an option.
- Budget alerts and usage quotas are non-negotiable; without them, any exposure can lead to uncontrolled spending.
- Google's defaults are the root cause — the company should proactively protect users from themselves.
- This incident will accelerate the adoption of server-side proxies and AI-specific security tools in the developer community.
Source and attribution
Hacker News
€54k spike in 13h from unrestricted Firebase browser key accessing Gemini APIs
Discussion
Add a comment