Cybersecurity researchers disclosed three now-patched security vulnerabilities in Google’s Gemini artificial intelligence assistant that could have exposed users to privacy risks and data theft, Tenable security researcher Liv Matan said in a report.
Tenable called the flaws the “Gemini Trifecta” and said they affected three distinct components: a prompt injection flaw in Gemini Cloud Assist; a search-injection flaw in the Gemini Search Personalization model; and an indirect prompt injection in the Gemini Browsing Tool that could be used to exfiltrate saved information and location data.
Tenable described how the Cloud Assist flaw could allow attackers to conceal a prompt inside a User-Agent header in an HTTP request and use Gemini’s ability to summarize raw logs to target cloud services such as Cloud Functions, Cloud Run, App Engine, Compute Engine, Cloud Endpoints, the Cloud Asset API, Cloud Monitoring API and the Recommender API. The company said the vulnerability could be abused to embed private data inside a request to a malicious server without Gemini needing to render links or images.
The report also said attackers could manipulate a user’s Chrome search history with JavaScript and leverage the model’s inability to distinguish injected prompts from legitimate queries to cause the Search Personalization model to leak saved information and location data, and that the Browsing Tool’s internal page-summarization call could be used to exfiltrate data to an external server.
Following responsible disclosure, Google has stopped rendering hyperlinks in log summarization responses and has added additional hardening measures to defend against prompt injections, the article said. The development comes as the agentic security firm CodeIntegrity detailed an attack that hides prompt instructions in a PDF using white text to persuade an AI agent to collect and send confidential data, the company said.
Tenable warned that the vulnerabilities show AI can be used as an attack vehicle and said organizations adopting AI should maintain visibility into where tools are used and enforce strict policies to control them.