Is the implication at the end that Google has not actually fixed this issue yet? This is really bad; a massive oversight, very clearly caused by a rush to get Gemini in customers' hands, and the remediation is in all likelihood going to nuke customer workflows by forcing them to disable keys. Extremely bad look for Google.

As I was reading it I didn't realize I was reading a security report, so I was like, is it responsible for them to be sharing this?

Then I saw the disclosure at the end and didn't get the sense that the flaw was fixed, so then I was still thinking... Is it responsible for them to be sharing this?

I'm glad that they did, because I can audit my own projects, but a bad actor may also be glad that they did.

The fact that we're hearing this first from a third-party and not from Google themselves is extremely problematic.