Three serious vulnerabilities, dubbed the Gemini Trifecta, were recently revealed in Google’s Gemini AI assistant suite, based on findings from security researchers at Tenable. These flaws exposed users to significant privacy risks, including search-injection attacks on the Search Personalization Model, log-to-prompt injection attacks on Gemini Cloud Assist, and exfiltration of saved information via the Gemini Browsing Tool.
In other words, inputs that Gemini processed (logs, search history, and web content) could be manipulated so the assistant would treat attacker-crafted content as instructions, then use built-in tools to send sensitive information to an attacker-controlled server.
Tenable researchers demonstrated three distinct, practical attack flows:
- Cloud Assist (log-to-prompt injection): Attackers injected prompt-like text into logs (for example, via a crafted HTTP User-Agent) on public GCP services. When a user later asked Gemini Cloud Assist to summarize or investigate logs, the assistant could interpret that malicious log content as actionable instructions, potentially enabling phishing or other follow‑on attacks.
- Search Personalization (search-history injection): By using JavaScript on a malicious webpage, researchers showed how an attacker could add crafted search queries to a user’s browser history. Because Gemini’s Search Personalization can incorporate historical queries into its context, those injected entries could act as prompts that cause Gemini to disclose stored user data (including saved information and location) or to generate links that exfiltrate data.
- Browsing tool (tool-based exfiltration): Even when UI-level defenses prevent obvious leaks (like rendering external image markdowns or direct links), Gemini’s Browsing tool can be instructed via an injected prompt to fetch a URL containing user data in the query string. Tenable captured outbound requests to an attacker-controlled server that contained the victim’s information, showing a stealthy exfiltration channel that bypasses many rendering protections.
According to Tenable, after disclosure Google implemented multiple mitigations including hardened log-summary rendering, rolled back vulnerable models, strengthened defenses around search personalization and blocking the specific browsing-path exfiltration techniques described along with layered prompt-injection defenses to reduce future risk, and the issues were remediated.
For full technical details including proof-of-concept see Tenable’s official security report here.
Leave a Reply