- 850
- 233
Researchers have disclosed details of three now-patched vulnerabilities in Google's Gemini AI assistant, collectively dubbed the Gemini Trifecta . If successfully exploited, these issues could trick the AI into engaging in data theft and other malicious activity.
Tenable researchers explain that the vulnerabilities affected three different Gemini components:
Prompt injections in Gemini Cloud Assist . The bug allowed attackers to compromise cloud services and resources by exploiting the tool's ability to summarize logs extracted directly from raw logs. This allowed them to hide a prompt in the User-Agent header in HTTP requests to Cloud Functions and other services, including Cloud Run, App Engine, Compute Engine, Cloud Endpoints, Cloud Asset API, Cloud Monitoring API, and Recommender API.
Search injections in the Gemini Search Personalization model . The vulnerability allowed for the injection of prompts and control of AI behavior to steal stored user information and location data. The attack worked as follows: the attacker manipulated the victim's Chrome search history using JavaScript, rendering the model unable to distinguish legitimate user queries from externally injected prompts.
Indirect prompt injections in the Gemini Browsing Tool . The vulnerability could be used to extract stored user information and location data to an external server. The exploitation worked through an internal call that Gemini makes to summarize the contents of a web page. In other words, the attacker placed a malicious prompt on their website, and when Gemini summarized the contents of that page, it executed the attacker's hidden instructions. The researchers note that these vulnerabilities allowed private user data to be embedded in requests to the attacker's malicious server, without Gemini needing to render any links or images.
[td]"One of the most dangerous attack scenarios looks like this: an attacker injects a prompt that instructs Gemini to query all publicly accessible resources or find IAM configuration errors, and then generate a hyperlink with this sensitive data," the experts explain, using a bug in Cloud Assist as an example. "This is possible because Gemini has permissions to query resources via the Cloud Asset API."[/td]In the second case, the attackers lured the victim to a pre-prepared website to inject malicious search queries with Gemini-specific prompts into the user's browser history, poisoning it. Afterward, when the victim accessed Gemini Search Personalization, the attackers' instructions would be executed, stealing confidential data.
After receiving information about the vulnerabilities, Google disabled the rendering of hyperlinks in log summaries and implemented additional protection against prompt injections.
[td]"The Gemini Trifecta vulnerabilities demonstrate that AI can become not only a target but also a tool for attack. When implementing AI, organizations cannot neglect security," the researchers emphasize.[/td]@ xakep.ru
Tenable researchers explain that the vulnerabilities affected three different Gemini components:
Prompt injections in Gemini Cloud Assist . The bug allowed attackers to compromise cloud services and resources by exploiting the tool's ability to summarize logs extracted directly from raw logs. This allowed them to hide a prompt in the User-Agent header in HTTP requests to Cloud Functions and other services, including Cloud Run, App Engine, Compute Engine, Cloud Endpoints, Cloud Asset API, Cloud Monitoring API, and Recommender API.
Search injections in the Gemini Search Personalization model . The vulnerability allowed for the injection of prompts and control of AI behavior to steal stored user information and location data. The attack worked as follows: the attacker manipulated the victim's Chrome search history using JavaScript, rendering the model unable to distinguish legitimate user queries from externally injected prompts.
Indirect prompt injections in the Gemini Browsing Tool . The vulnerability could be used to extract stored user information and location data to an external server. The exploitation worked through an internal call that Gemini makes to summarize the contents of a web page. In other words, the attacker placed a malicious prompt on their website, and when Gemini summarized the contents of that page, it executed the attacker's hidden instructions. The researchers note that these vulnerabilities allowed private user data to be embedded in requests to the attacker's malicious server, without Gemini needing to render any links or images.
After receiving information about the vulnerabilities, Google disabled the rendering of hyperlinks in log summaries and implemented additional protection against prompt injections.