Researchers have disclosed details of three already-fixed vulnerabilities in Google’s Gemini AI assistant, collectively dubbed Gemini Trifecta. If successfully exploited, these issues allowed attackers to trick the AI into participating in data theft and other malicious activity.
Tenable researchers report that the vulnerabilities affected three different components of Gemini:
Prompt injections in Gemini Cloud Assist. The bug allowed attackers to compromise cloud services and resources by exploiting the fact that the tool is capable of summarizing logs extracted directly from raw logs. This made it possible to hide a prompt in the User-Agent header as part of an HTTP request to Cloud Functions and other services, including Cloud Run, App Engine, Compute Engine, Cloud Endpoints, Cloud Asset API, Cloud Monitoring API, and Recommender API.
Search prompt injections in the Gemini Search Personalization model. The issue allowed attackers to inject prompts and control the AI’s behavior to steal the user’s saved information and location data. The attack worked as follows: an attacker used JavaScript to manipulate the victim’s Chrome search history, and the model couldn’t distinguish legitimate user queries from externally injected prompts.
Indirect prompt injections in the Gemini Browsing Tool. The vulnerability could be used to exfiltrate the user’s saved information and location data to an external server. The issue could be exploited via an internal call that Gemini makes to summarize a web page’s contents. In other words, an attacker would place a malicious prompt on their site, and when Gemini summarized that page’s contents, it would execute the attacker’s hidden instructions.
Researchers note that these vulnerabilities allowed embedding a user’s private data into a request to the attackers’ malicious server, and Gemini didn’t need to render any links or images.
“One of the most dangerous attack scenarios looks like this: an attacker injects a prompt that instructs Gemini to request all publicly accessible resources or find IAM misconfigurations, and then generate a hyperlink containing this sensitive data,” the experts explain, using a bug in Cloud Assist as an example. “This is possible because Gemini has permissions to query resources via the Cloud Asset API.”
In the second case, the attacker needed to lure the victim to a preprepared site to inject malicious search queries containing prompts for Gemini into the user’s browser history, thereby poisoning it. After that, when the victim uses Gemini Search Personalization, the attackers’ instructions will be executed and confidential data will be stolen.
After learning about the vulnerabilities, Google engineers disabled hyperlink rendering in responses when summarizing logs and also implemented additional safeguards against prompt injections.
“The Gemini Trifecta vulnerabilities show that AI can become not only a target but also a tool for attack. When implementing AI, organizations cannot afford to neglect security,” the researchers emphasize.