Three new vulnerabilities in Google’s Gemini AI assistant suite could have allowed attackers to exfiltrate users’ saved information and location data.
The vulnerabilities uncovered by Tenable, dubbed the “Gemini Trifecta,” highlight how AI systems can be turned into attack vehicles, not just targets. The research exposed significant privacy risks across different components of the Gemini ecosystem.
While Google has since patched the issues, the discovery serves as a critical reminder of the security challenges inherent in highly personalized, AI-driven platforms. The three distinct vulnerabilities targeted separate functions within Gemini.
Gemini Trifecta
Gemini Cloud Assist: A prompt-injection vulnerability in the Google Cloud tool could have enabled attackers to compromise cloud resources or execute phishing attempts. Researchers found that log entries, which Gemini can summarize, could be poisoned with malicious prompts. This represents a new attack class where log injections can manipulate AI inputs.
Gemini Search Personalization Model: This search-injection flaw gave attackers the ability to control Gemini’s behavior by manipulating a user’s Chrome search history. By injecting malicious search queries, an attacker could trick Gemini into leaking a user’s saved information and location data.
Gemini Browsing Tool: A vulnerability in this tool allowed for the direct exfiltration of a user’s saved information. Attackers could abuse the tool’s functionality to send sensitive data to an external server.
The core of the attack methodology involved a two-step process: infiltration and exfiltration. Attackers first needed to inject a malicious prompt that Gemini would process as a legitimate command.
Tenable discovered stealthy methods for this “indirect prompt injection,” such as embedding instructions within a log entry’s User-Agent header or using JavaScript to add malicious queries to a victim’s browser history silently.
Once the prompt was injected, the next challenge was to extract the data, bypassing Google’s security measures that filter outputs like hyperlinks and image markdowns.
The researchers discovered they could exploit the Gemini Browsing Tool as a side channel. They crafted a prompt that instructed Gemini to use its browsing tool to fetch a URL, embedding the user’s private data directly into the URL request sent to an attacker-controlled server.
This exfiltration occurred through tool execution rather than response rendering, circumventing many of Google’s defenses.
Google has successfully remediated all three vulnerabilities. The fixes include stopping hyperlinks from rendering in log summaries, rolling back the vulnerable search personalization model, and preventing data exfiltration through the browsing tool during indirect prompt injections.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
