In a detailed blog post, CyberArk researcher Arik Kublanov said the vulnerability was in Google's APIs and had been called Shadow Keys.
When a user of Google's services sets up a project, an API key is automatically created for that project by Google. Shadow Keys are essentially illegitimate copies of these keys - since the owner of the project is unaware of the creation of the original API key, he/she would also be unaware of the Shadow Keys.
"This was a significant vulnerability because if an attacker were to obtain a Google API key through nefarious actions, they could then create a shadow key to access applications as if it was the original user key," Kublanov wrote. "The attacker could also bypass the detection/billing system of some Google API services."
Google customers who have premium plans have to use an API key to access all features and benefits of that plan.
Kublanov said that by using a service that enumerated valid and invalid API keys, the CyberArk researchers were able to forge a shadow key when the original key was malformed.
"We used a vector that we called 'Malform', which allowed us to rotate one valid key from left to right from index=6 until the end of the key index=39, and each time we could change one character to be from the following characters: abcdefghijklmnopqrstuvwyxzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_," he said.
By doing this, the researchers obtained three more keys - the Shadow Keys. " Only the character in the index of 39 was changed, and all three were valid keys that could be used to access the user’s application data."
He said using these Shadow Keys, they were able to access the project in question, bypass detection and avoid payment, simply because the owner's dashboard did not recognise the shadow API key as belonging to the owner's application.
"Using only a single valid Google API key, it was possible to create shadow keys that went undetected and could avoid payments to Google," Kublanoc said.
"With only a valid key, an attacker could create shadow keys and sell them to other malicious actors, giving them the ability to access the same applications and data as the original valid key, but go undetected by Google."
He said Google had been notified of the flaw in January, soon after CyberArk discovered it. It had been fixed on 24 May.