{"id":3117,"date":"2025-10-05T20:54:36","date_gmt":"2025-10-05T20:54:36","guid":{"rendered":"http:\/\/ft365.org\/index.php\/2025\/10\/05\/gemini-trifecta-highlights-dangers-of-indirect-prompt-injection\/"},"modified":"2025-10-05T20:54:36","modified_gmt":"2025-10-05T20:54:36","slug":"gemini-trifecta-highlights-dangers-of-indirect-prompt-injection","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2025\/10\/05\/gemini-trifecta-highlights-dangers-of-indirect-prompt-injection\/","title":{"rendered":"Gemini Trifecta Highlights Dangers of Indirect Prompt Injection"},"content":{"rendered":"
\n

\"Photo<\/p>\n<\/div>\n

\n
\n

Network defenders must start treating AI integrations as active threat surfaces, experts have warned after revealing three new vulnerabilities in Google Gemini.<\/p>\n

Tenable dubbed its latest discovery the \u201cGemini Trifecta\u201d because it consists of three ways that threat actors can manipulate the Google GenAI tool for indirect prompt injection and data exfiltration.<\/p>\n

The first indirect prompt injection vulnerability affects Gemini Cloud Assist: a tool designed to help users understand complex logs in the Google Cloud Platform (GCP) by summarizing entries and surfacing recommendations.<\/p>\n

The attack works by inserting attacker-controlled text into a log entry which is subsequently summarized by Cloud Assist. Its instructions are then unwittingly executed by the Google tool.<\/p>\n

\u201cTo test this, we attacked a mock victim\u2019s Cloud Function and sent a prompt injection input into the User-Agent header with the request to the Cloud Function. This input naturally flowed into Cloud Logging. From there, we simulated a victim reviewing logs via the Gemini integration in GCP\u2019s Log Explorer,\u201d explained Tenable.<\/p>\n

\u201cTo our surprise, Gemini rendered the attacker\u2019s message and inserted the phishing link into its log summary, which was then output to the user.\u201d<\/p>\n

Read more on AI threats: <\/em>\u201cPromptFix\u201d Attacks Could Supercharge Agentic AI Threats<\/em><\/p>\n

Logs can be injected into GCP by any unauthenticated attacker, in a targeted manner or by \u201cspraying\u201d all GCP public-facing services, the report noted.<\/p>\n

Poisoning cloud logs in this way could enable attackers to escalate access, query sensitive assets\u00a0or surface misleading recommendations inside cloud platforms, it warned.<\/p>\n

The second indirect prompt injection attack technique targeted Gemini\u2019s Search Personalization Model: a tool that contextualizes responses based on user search history.<\/p>\n

The researchers sought to inject malicious queries into a user\u2019s Chrome search history. Gemini later processed these queries as trusted context, enabling attackers to manipulate Gemini\u2019s behavior and extract sensitive data.<\/p>\n

\u201cThe attack was executed by injecting malicious search queries with JavaScript from a malicious website. If a victim visited the attacker\u2019s website, the JavaScript would inject the malicious search queries into the victim\u2019s browsing history,\u201d Tenable explained.<\/p>\n

\u201cWhen the user interacted with Gemini\u2019s Search Personalization Model, it would process the user\u2019s search queries, including these malicious search queries injected by the attacker, which are essentially prompt injections to Gemini. Since the Gemini model retains the user\u2019s memories, aka \u2018Saved Information,\u2019\u00a0and the user\u2019s location, the injected queries can access and extract user-specific sensitive data.\u201d<\/p>\n

In this way, malicious search injections could enable threat actors to harvest personal and corporate data stored as AI \u201cmemories,\u201d the report warned.<\/p>\n

Exfiltrating Data Via Gemini Browsing Tool<\/h2>\n

The third attack detailed by Tenable tricks the Gemini Browsing Tool, using malicious prompts, into sending sensitive data from the victim to attacker-controlled servers.<\/p>\n

\u201cThe Gemini Browsing Tool allows the model to access live web content and generate summaries based on that content. This functionality is powerful, but when combined with prompt engineering, it opened a side-channel exfiltration vector,\u201d Tenable explained.<\/p>\n

\u201cWhat if we asked Gemini to \u2018summarize\u2019 a webpage \u2013 where the URL included sensitive data in the query string? Would Gemini fetch a malicious external server with the victim\u2019s sensitive data in the request?\u201d<\/p>\n

After some trial and error, the research team managed to trick the tool into doing just this. Crucially, it consulted Gemini\u2019s \u201cShow thinking\u201d feature, which revealed the tool\u2019s internal browsing API calls. This enabled Tenable to craft prompts using Gemini\u2019s browsing language.<\/p>\n

The researchers warned that the attack surface could be even broader than the tools compromised in this research, including cloud infrastructure services like GCP APIs, enterprise productivity tools that integrate with Gemini\u00a0and third-party apps that have Gemini summaries or context ingestion embedded. \u00a0\u00a0<\/p>\n

Google has now fixed these three issues, but Tenable urged security teams to:<\/p>\n