A critical vulnerability in Google Gemini Enterprise and Vertex AI Search, dubbed GeminiJack, that allows attackers to exfiltrate sensitive corporate data without any user interaction or security alerts.
The flaw exploits an architectural weakness in how enterprise AI systems process and interpret information, turning the AI itself into an unauthorized access layer for corporate data.
How GeminiJack Works
The vulnerability leverages indirect prompt injection techniques embedded within shared Google Docs, calendar invitations, or emails.
When an employee performs a routine search in Gemini Enterprise, such as “show me our budgets,” the AI automatically retrieves poisoned documents containing hidden instructions.
These instructions then cascade across the organization’s entire Google Workspace ecosystem, including Gmail, Calendar, Docs, and other connected data sources, without triggering any security warnings or DLP alerts.
The exfiltration occurs silently through a disguised external image request, making the data theft indistinguishable from legitimate traffic to security monitoring tools.
Unlike traditional cyberattacks requiring phishing or credential theft, GeminiJack operates completely invisibly.
Employees see no suspicious activity; they perform a standard search and receive results.
Security teams observe nothing unusual: no malware execution, no anomalous credentials usage, just routine AI behavior and standard image loading. This invisibility makes the vulnerability particularly dangerous.
A single successful attack can exfiltrate years of email correspondence, complete calendar histories revealing business relationships and organizational structure, and entire document repositories containing confidential agreements and technical specifications.
The attack unfolds in four steps: an attacker creates seemingly legitimate content within accessible data sources and embeds prompt injection payloads.
When employees perform standard searches, the RAG (Retrieval-Augmented Generation) system retrieves the poisoned content.
Critically, Gemini treats the embedded malicious instructions as legitimate commands, searches for sensitive terms across all accessible data, and transmits results to the attacker’s server through HTTP requests.
Google worked directly with Noma Labs to validate findings and deploy updates, changing how Gemini Enterprise and Vertex AI Search interact with retrieval and indexing systems.
Following the discovery, Vertex AI Search was entirely separated from Gemini Enterprise and no longer shares the same LLM-powered workflows or RAG capabilities.
GeminiJack represents a growing class of AI-native vulnerabilities that organizations must address immediately as enterprise adoption of AI tools accelerates.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.