TLDR: Cybersecurity firm Tenable has revealed three significant security flaws, dubbed the ‘Gemini Trifecta,’ in Google’s Gemini AI assistant. These vulnerabilities could have allowed attackers to silently steal sensitive user data, including location information and saved memories, by manipulating Gemini’s behavior through poisoned logs, injected search histories, and hidden browsing requests. Google has since remediated these issues.
Cybersecurity researchers at Tenable have exposed a trio of critical vulnerabilities within Google’s Gemini artificial intelligence (AI) suite, collectively termed the ‘Gemini Trifecta.’ These flaws, now patched by Google, presented substantial privacy risks, potentially enabling malicious actors to manipulate Gemini’s functionality and surreptitiously exfiltrate sensitive user data from millions of individuals.
The ‘Gemini Trifecta’ comprised weaknesses across three core components of the Gemini platform:
1. Gemini Cloud Assist: Researchers discovered that poisoned log entries could be planted within Cloud Assist. When users subsequently interacted with Gemini, the system might unknowingly execute these malicious instructions, allowing attackers to exploit cloud-based services, compromise cloud resources, and even facilitate phishing attempts. Tenable Research highlighted this as a new class of attack where log injections could ‘poison AI inputs with arbitrary prompt injections.’
2. Gemini Search Personalisation Model: This vulnerability allowed attackers to silently inject malicious queries into a victim’s browser history. Since Gemini treats browser history as a trusted context for its recommendations and responses, this loophole could have enabled the siphoning of personal details, such as location history and saved information, without the user’s awareness.
3. Gemini Browsing Tool: The third flaw involved manipulating the Gemini Browsing Tool to make hidden outbound requests. Attackers could embed private user data within these requests, delivering it directly to attacker-controlled servers. This method of data exfiltration bypassed many UI-level defenses, as it did not require Gemini to visibly render suspicious links or images.
According to Tenable Research, the fundamental issue stemmed from Gemini’s integrations failing to adequately distinguish between safe user input and attacker-supplied content. This meant that compromised logs, injected search history entries, or hidden web content could all be treated as trusted context by Gemini, effectively transforming routine features into covert attack channels.
Liv Matan, Senior Security Researcher at Tenable, emphasized the severity of these findings: “These vulnerabilities show how AI platforms can be manipulated in ways users never see, making data theft invisible.” Matan further elaborated on the broader implications, stating, “The Gemini Trifecta shows that AI itself can be turned into the attack vehicle, not just the target. As organizations adopt AI, they cannot overlook security.” She added, “Protecting AI tools requires visibility into where they exist across the environment and strict enforcement of policies to maintain control.”
Also Read:
- Google Integrates Gemini Generative AI Across Smart Home Ecosystem, Enhancing Conversational Control and Features
- Generative AI Fuels Surge in Cyberattacks, Exposing New Vulnerabilities in Japan and Globally
Google has since implemented remediations for these vulnerabilities, including stopping the rendering of hyperlinks in log summarization responses and adding further hardening measures against prompt injections. The discovery underscores the evolving landscape of cybersecurity threats, where AI systems, while powerful, introduce new attack vectors that demand proactive and robust security strategies.
