Gemini Trifecta: Three Flaws Allowed Hackers to Exploit Google’s AI for Stealthy Data Theft
Researchers at Tenable have disclosed three vulnerabilities in Google’s Gemini AI, flaws that enabled data theft and remote exploitation. Collectively dubbed the “Gemini Trifecta,” these issues affected distinct modules of the assistant.
The first flaw was identified in Gemini Cloud Assist. Its log-analysis mechanism allowed an attacker to inject hidden instructions directly into an HTTP request, such as within the User-Agent field. When Gemini processed this data, it executed arbitrary code with access to multiple Google Cloud components, including Cloud Run, App Engine, Compute Engine, Cloud Endpoints, Cloud Asset API, and Cloud Monitoring API. This provided adversaries the ability to scan infrastructure for misconfigurations, extract lists of accessible resources, and forward results to attacker-controlled servers.
The second vulnerability involved the search personalization model, which analyzed a user’s Chrome search history but failed to distinguish legitimate queries from injected commands. A malicious website could execute JavaScript to insert crafted search strings into a user’s history. Later, when Gemini referenced that history, it interpreted the hidden instructions as genuine queries—potentially leaking saved data or even the victim’s geolocation to the attacker.
The third flaw lay within the Gemini Browsing Tool, which performed internal calls to summarize webpage content. Exploit code leveraged this process to embed commands that redirected sensitive user information to attacker servers. Critically, no user interaction was required—the exfiltration occurred automatically during text processing.
According to Tenable, attackers could combine these methods to design complex scenarios in which personal information was silently embedded into requests sent to external servers. One example involved tampering with log instructions, compelling Gemini to export public assets or enumerate misconfigured permissions.
Following responsible disclosure, Google disabled hyperlink generation in all log-related functions and introduced additional safeguards against prompt injection techniques.
Analysts emphasize that the Gemini Trifecta highlights a dangerous new threat vector: artificial intelligence itself can be transformed into an attack tool rather than merely a target. Organizations must therefore secure not only their core services but also the mechanisms by which AI assistants interact with data and cloud environments.
In parallel, the CodeIntegrity platform revealed another case of similar abuse. Its researchers demonstrated an exploit against Notion’s AI agent, where malicious instructions were hidden in a PDF using white text on a white background. Upon processing the file, the model executed the covert command to harvest confidential data and transmit it to attackers. Because such AI agents often have direct access to documents, databases, and external connectors, they greatly expand the attack surface in ways traditional access-control systems cannot anticipate.
Together, the vulnerabilities in Google Gemini and the Notion demonstration illustrate a critical reality: the proliferation of AI assistants is transforming them into convenient channels for stealthy data exfiltration, underscoring the urgent need for a dedicated security paradigm for intelligent systems.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
