More
- Awards
- Blogs
- BrandPosts
- Events
- Podcasts
- Videos
- Enterprise Buyer’s Guides
Three vulnerabilities in Google’s Gemini AI tools exposed risks in Cloud Assist, Search, and Browsing — allowing prompt injection, logic manipulation, and stealth data leaks before being patched.
Credit: shutterstock.com – JRdes
Security researchers at Tenable revealed three distinct vulnerabilities across Gemini’s cloud assist, search optimization, and browsing components.
If exploited, these flaws allow attackers to inject prompts, hijack AI logic, and quietly siphon private user data, even bypassing many of Google’s built-in safeguards. Together, the flaws have been dubbed “Gemini Trifecta.”
Itay Ravia, head of Aim Labs, the cybersecurity outfit that first documented a similar EchoLeak zero-click attack on Microsoft 365 Copilot, said, “Tenable’s Gemini Trifecta reinforces that agents themselves become the attack vehicle once they’re granted too much autonomy without sufficient guardrails. The pattern is clear: logs, search histories, and browsing tools are all active attack surfaces.”
Google has since patched the issue, but researchers emphasized that the episode is a wake-up call for the AI era.
Prompt injection in Gemini Cloud Assist and Search
Gemini Cloud Assist is a feature that helps users summarize and interpret cloud logs (particularly in Google Cloud). Tenable found that this service could be tricked by an attacker to embed specially formatted content, such as through a manipulated HTTP User-Agent header, in a log. The tweaked content then flows into the logs, which Gemini later ingests and summarizes.
In a proof-of-concept (PoC) shared in a blog post, the researchers sent malicious prompt fragments via the User Agent field to a Cloud Function endpoint. When Gemini later “explained” the log entry, it included a phish-ready link derived from the crafted input–though the full prompt was hidden behind a collapsed “Additional prompt details” section.
Because logs are pervasive and are often considered passive artifacts, this effectively turns nearly any public-facing cloud endpoint into an attack surface, researchers noted. The blog post further argued that several other Google Cloud services, including Functions, Run, App Engine, Load Balancing, etc, could be similarly abused if logs are used in AI-assisted summarization.
The second vector exploits Gemini’s search personalization. As Gemini’s Search module uses a user’s past queries as context, an attacker could use JavaScript tricks to insert malicious “search queries” into a user’s browser history. When Gemini reads that history as context, it treats those injected prompts as legitimate inputs.
“The underlying issue was the model’s inability to differentiate between legitimate user queries and injected prompts from external sources,” the researchers said. “The JavaScript trick to inject search history to victims included stopping a redirect to the Google Search API, but waiting long enough to allow it to be logged in the search history and not actually redirecting the page.”
Even after prompt injection, the attacker needs a way to pull data out, and that’s what the third flaw affecting the Gemini Browsing Tool allowed. Tenable researchers crafted prompts to trick Gemini to fetch external web content using the Browser Tool, embedding user data into the query string of that request. The outbound HTTP call thereby carried the user’s sensitive data to an attacker-controlled server, without relying on visibly rendered links or markdown tricks.
This finding is notable as Google already has mitigations like suppressing hyperlink rendering or filtering image markdowns. The attack bypassed those UI-level defenses by using Google Browsing Tool invocation as the exfiltration channel.
While Google did not immediately respond to CSO’s request for comment, Tenable said the cloud giant has fixed all of these issues by sanitizing link outputs in Browser Tool and bringing in more structural protections in Gemini Cloud Assist and Search.
Prompt injection attacks have been around since AI first came into play, alongside some other sophisticated ways to subvert these intelligent models, including EchoChamber, EchoLeak, and Crescendo. “These are intrinsic weaknesses in the way today’s agents are built, and we will continue to see them resurface across different platforms until runtime protections are widely deployed,” Ravia noted.
SUBSCRIBE TO OUR NEWSLETTER
From our editors straight to your inbox
Get started by entering your email address below.
Shweta has been writing about enterprise technology since 2017, most recently reporting on cybersecurity for CSO online. She breaks down complex topics from ransomware to zero trust architecture for both experts and everyday readers. She has a postgraduate diploma in journalism from the Asian College of Journalism, and enjoys reading fiction, watching movies, and experimenting with new recipes when she’s not busy decoding cyber threats.
More from this author
`,
cio: `
🚀 The new CIO.com hybrid search: 🔍 Explore CIO content smarter, faster and AI powered. ✨
`,
nww: `
🚀 The new NetworkWorld.com hybrid search: 🔍 Explore NetworkWorld content smarter, faster and AI powered. ✨
`,
cw: `
🚀 The new Computerworld.com hybrid search: 🔍 Explore Computerworld content smarter, faster and AI powered. ✨
`,
cso: `
🚀 The new CSOonline.com hybrid search: 🔍 Explore CSO content smarter, faster and AI powered. ✨
`
};
const sharedStyles = `
`;
const publisher = foundry_get_publisher();
const htmlContent = contentSwitch[publisher];
if (!htmlContent || !document.body) return;
document.body.insertAdjacentHTML(“afterbegin”, htmlContent + sharedStyles);
const bar = document.querySelector(“.section-block–announcementbar”);
if (bar) {
requestAnimationFrame(() => {
bar.classList.add(“section-block–announcementbar–visible”);
});
}
const btn = document.querySelector(“.section-block–announcementbar .reset-button”);
const searchIcon = document.querySelector(‘.header__icon-button[data-menu-trigger=”search”] svg’);
const searchTrigger = document.querySelector(‘[data-menu-trigger=”search”]’);
if (searchIcon) {
searchIcon.innerHTML = ‘
‘;
}
if (btn && searchTrigger) {
btn.addEventListener(“click”, () => searchTrigger.click());
}
console.log(“[MISO SCRIPT] Conditions met, initializing Miso search announcements.”);
};
initMisoSearchAnnouncements();
});
document.addEventListener(‘consentManagerReady’, () => {
const hasConsentYouTube = consentManager.checkConsentByVendors([
‘YouTube’,
‘YT’
]);
if (hasConsentYouTube.some(vendor => vendor[‘Has Consent’] === false)) {
console.log(‘[YOUTUBE SCRIPT] Consent not given for YouTube.’);
} else {
console.log(‘[YOUTUBE SCRIPT] Consent given for YouTube. Loading script…’);
}
});
document.addEventListener(‘consentManagerReady’, () => {
const hasConsentGAM = consentManager.checkConsentByVendors([
‘Google Ad Manager’,
‘GAM’
]);
if (hasConsentGAM.some(vendor => vendor[‘Has Consent’] === false)) {
console.log(‘[GAM SCRIPT] Consent not given for GAM.’);
} else {
console.log(‘[GAM SCRIPT] Consent given for GAM. Loading script…’);
}
});
document.addEventListener(‘consentManagerReady’, () => {
const hasConsentGoogleFonts = consentManager.checkConsentByVendors([
‘Google Fonts’,
‘Google Web Fonts’
]);
if (hasConsentGoogleFonts.some(vendor => vendor[‘Has Consent’] === false)) {
console.log(‘[GOOGLE FONTS SCRIPT] Consent not given for Google Fonts.’);
} else {
console.log(‘[GOOGLE FONTS SCRIPT] Consent given for Google Fonts. Loading script…’);
}
});
document.addEventListener(‘consentManagerReady’, () => {
const hasConsentAdobeTypekit = consentManager.checkConsentByVendors([
‘Adobe Typekit’
]);
if (hasConsentAdobeTypekit.every(vendor => vendor[‘Has Consent’] === true)) {
if (foundry_is_edition(‘kr’)) {
const link = document.createElement(‘link’);
link.rel = ‘stylesheet’;
link.href = ‘https://use.typekit.net/ihi5tse.css’;
document.head.appendChild(link);
}
}
});
document.addEventListener(‘consentManagerReady’, () => {
const vendors = [‘Subscribers’];
const hasConsentSubscribers = consentManager.checkConsentByVendors(vendors);
if (hasConsentSubscribers.some(vendor => vendor[‘Has Consent’] === false)) {
return;
} else {
if (foundry_is_language(‘en’)) {
console.log(‘Language is English’);
// subscribers english ..
}
if (foundry_is_edition(‘kr’)) {
console.log(‘Edition is Korean’);
// subscribers in korean ..
}
if (foundry_is_edition(‘ja’)) {
console.log(‘Edition is Japanese’);
// subscribers in japanese ..
}
}
});
