{"id":3808,"date":"2025-12-11T06:38:49","date_gmt":"2025-12-11T06:38:49","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2025\/12\/11\/google-fixes-zero-click-gemini-enterprise-flaw-that-exposed-corporate-data\/"},"modified":"2025-12-11T06:38:49","modified_gmt":"2025-12-11T06:38:49","slug":"google-fixes-zero-click-gemini-enterprise-flaw-that-exposed-corporate-data","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2025\/12\/11\/google-fixes-zero-click-gemini-enterprise-flaw-that-exposed-corporate-data\/","title":{"rendered":"Google Fixes Zero Click Gemini Enterprise Flaw That Exposed Corporate Data"},"content":{"rendered":"<div id=\"cphContent_pnlArticleBody\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"0\">\n<p>Google has patched a zero-click vulnerability in Gemini Enterprise that could lead to corporate data leaks.<\/p>\n<p>The flaw was discovered in June 2025 by security researchers at Noma Security and reported to Google the same day.<\/p>\n<p>Dubbed \u2018GeminiJack\u2019 by the researchers, it is an architectural weakness in Google Gemini Enterprise, Google\u2019s set of corporate AI assistant tools, and in Vertex AI Search, a Google Cloud platform for building AI-powered search and recommendation experiences.<\/p>\n<p>This weakness allows a type of indirect prompt injection enabling attackers to add malicious instructions to common documents in Gmail, Google Calendar, Google Documents \u2013 or any other Google Workspace components Gemini Enterprise has accessed to \u2013 to exfiltrate sensitive corporate information.<\/p>\n<p>Exploiting this flaw does not require the target employee to click anywhere and does not trigger any security controls.<\/p>\n<h2><strong>GeminiJack\u2019s Attack Chain<\/strong><\/h2>\n<p>The attacker only needs to embed hidden instructions inside a shared or externally contributed document to perform the attack.<\/p>\n<p>Here is the breakdown of the attack chain\u2019s main steps:<\/p>\n<ol>\n<li><strong>Content poisoning:<\/strong> An attacker creates a seemingly harmless Google Doc, Calendar event or Gmail email containing hidden instructions for Gemini Enterprise to search for sensitive terms and embed results in an external image URL they control<\/li>\n<li><strong>Trigger:<\/strong> A legitimate employee performs a routine search, unintentionally prompting the AI to process the attacker\u2019s poisoned content<\/li>\n<li><strong>AI execution:<\/strong> Gemini retrieves the attacker\u2019s document, misinterprets the instructions as valid, and scans authorized Workspace data for the sensitive terms<\/li>\n<li><strong>Exfiltration:<\/strong> The AI includes the attacker\u2019s malicious image tag in its response. When loaded, the victim\u2019s browser sends the stolen data to the attacker\u2019s server via a standard HTTP request, bypassing traditional security checks<\/li>\n<\/ol>\n<p>This attack worked because Google Gemini Enterprise\u00a0AI\u2019s search feature implements a Retrieval-Augmented Generation (RAG) architecture that allows organizations to query across multiple data sources in Google Workspace.<\/p>\n<p>\u201cOrganizations must pre-configure which data sources the RAG system can access. This pre-configuration step determines the scope of data available to the Gemini model during query processing. Once configured, the system has persistent access to these data sources for all user queries,\u201d said the Noma Security researchers.<\/p>\n<p>\u201cThe vulnerability exploits the trust boundary between user-controlled content in data sources and the AI model\u2019s instruction processing. An attacker can plant malicious instructions within content that gets retrieved and processed by the RAG system.\u201d<\/p>\n<p>Noma Security shared a step-by-step proof-of-concept (PoC) exploit for this vulnerability in its report on GeminiJack, published on December 8.<\/p>\n<h2><strong>Adoption of Corporate AI Brings Growing Indirect Prompt Injection Risk<\/strong><\/h2>\n<p>Google confirmed receipt of the vulnerability report from Noma Security in August and started to work with them to fix it.<\/p>\n<p>The tech giant deployed updates that changed how Gemini Enterprise and Vertex AI Search interact with their underlying retrieval and indexing systems.<\/p>\n<p>After the discovery, Vertex AI Search was fully separated from Gemini Enterprise and no longer uses the same large language model -powered (LLM) workflows or RAG capabilities.<\/p>\n<p>However, the Noma Security researchers expect that this attack will not be the last of its kind.<\/p>\n<p>They stated that traditional perimeter defense controls, endpoint protection solutions and data loss prevention tools \u201cweren\u2019t designed to detect when your AI assistant becomes an exfiltration engine.\u201d<\/p>\n<p>\u201cAs AI agents gain broader access to corporate data and autonomy to act on instructions, the blast radius of a single vulnerability expands exponentially. Organizations deploying AI systems with access to sensitive data must carefully consider trust boundaries, implement robust monitoring and stay informed about emerging AI security research,\u201d the Noma Security researchers concluded.<\/p>\n<p>The UK\u2019s National Cyber Security Centre (NCSC) recently shared new guidance to mitigate prompt injection attacks.<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Google has patched a zero-click vulnerability in Gemini Enterprise that could lead to corporate data leaks. The flaw was discovered in June 2025 by security researchers at Noma Security and reported to Google the same day. Dubbed \u2018GeminiJack\u2019 by the researchers, it is an architectural weakness in Google Gemini Enterprise, Google\u2019s set of corporate AI<\/p>\n","protected":false},"author":2,"featured_media":3809,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-3808","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3808-69678272-1297-49e7-b762-280d80fdd182.jpg",300,300,false],"thumbnail":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3808-69678272-1297-49e7-b762-280d80fdd182-150x150.jpg",150,150,true],"medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3808-69678272-1297-49e7-b762-280d80fdd182.jpg",300,300,false],"medium_large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3808-69678272-1297-49e7-b762-280d80fdd182.jpg",300,300,false],"large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3808-69678272-1297-49e7-b762-280d80fdd182.jpg",300,300,false],"1536x1536":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3808-69678272-1297-49e7-b762-280d80fdd182.jpg",300,300,false],"2048x2048":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3808-69678272-1297-49e7-b762-280d80fdd182.jpg",300,300,false],"morenews-featured":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3808-69678272-1297-49e7-b762-280d80fdd182.jpg",300,300,false],"morenews-large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3808-69678272-1297-49e7-b762-280d80fdd182.jpg",300,300,false],"morenews-medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3808-69678272-1297-49e7-b762-280d80fdd182.jpg",300,300,false],"crawlomatic_preview_image":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3808-69678272-1297-49e7-b762-280d80fdd182-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"http:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"<a href=\"http:\/\/ft365.org\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/3808","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=3808"}],"version-history":[{"count":0,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/3808\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/3809"}],"wp:attachment":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=3808"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=3808"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=3808"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}