Three new security vulnerabilities, collectively dubbed the "Gemini Trifecta," were recently uncovered in Google’s Gemini AI assistant suite. These flaws could have allowed attackers to steal users’ saved personal information and location data, proving that AI systems can be turned into attack vehicles rather than just targets. While Google has since patched all the issues, the discovery serves as a vital reminder of the privacy risks inherent in highly personalized, AI-driven platforms.
Details of the Gemini Trifecta
The three distinct vulnerabilities targeted separate functions within the Gemini ecosystem, following a two-step attack method: infiltration (injecting a malicious command) and exfiltration (extracting the data).
- Gemini Cloud Assist: This was an indirect prompt injection flaw where attackers could poison log entries that Gemini was designed to summarize. When an employee used Gemini to summarize these logs, the malicious instructions embedded in a log entry (for example, within a User-Agent header) would execute, potentially compromising cloud resources or enabling targeted phishing attempts. This represents a new class of AI attack using log injection.
- Gemini Search Personalization Model: This flaw involved search injection. Attackers could manipulate a user’s Chrome search history by silently adding malicious search queries using JavaScript. When the user later interacted with Gemini, the AI would process this compromised history and could be tricked into leaking the user’s saved information and location data.
- Gemini Browsing Tool: This vulnerability allowed for the direct theft of a user’s saved information. Attackers could misuse the tool’s functionality to send sensitive data to an external server. The successful exfiltration bypassed many of Google’s defenses by exploiting the Browsing Tool as a side channel. The attackers wrote a prompt instructing Gemini to fetch a URL, embedding the victim's private data directly into that URL request which was sent to an attacker-controlled server.
Google successfully resolved all three vulnerabilities. The fixes included stopping hyperlinks from being rendered in log summaries, quickly rolling back the vulnerable search personalization model, and preventing data from being exfiltrated through the browsing tool when triggered by indirect prompt injections.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
