Gemini Vulnerabilities in Google AI Platform Enable Data and Location Exfiltration

Tenable Research identified three distinct vulnerabilities in Google’s Gemini, showing how modern AI platforms can be leveraged as both targets and vehicles of attack:

• Search-injection attacks targeting the Search Personalization Model
• Log-to-prompt injection attacks abusing Gemini Cloud Assist’s log summarization features
• Exfiltration of saved data and location through the Gemini Browsing Tool

These vulnerabilities demonstrate that the tools designed to streamline user interactions with information are also susceptible to creative attack chains.

Each issue allowed for indirect prompt injection and tool-based exfiltration, bypassing many of Google’s established UI-level defenses.

Attack Impact and Exploitation

Attackers could exploit these vulnerabilities in several ways:

1. By manipulating search history, attackers injected prompts into Gemini’s Search Personalization Model, tricking the AI into leaking sensitive data by embedding it in its replies.
2. Through log-to-prompt injection, attackers poisoned Gemini Cloud Assist’s summarized log entries via crafted User-Agent fields, making credential phishing and stealth attacks possible.
3. The Gemini Browsing Tool, designed to fetch live web data, could be instructed (via a malicious prompt) to make outbound requests to attacker-controlled servers, embedding the user’s location and saved information in the HTTP request without obvious clues on the UI.

The implications are broad: every input surface becomes a potential infiltration point, while dynamic output mechanisms can be weaponized for exfiltration.

Mitigations and Google’s Response

After Tenable’s report, Google swiftly enacted several mitigations:

1. Prevention of hyperlink rendering in log summaries, nullifying phishing attempts in Gemini Cloud Assist.
2. Reinforced prompt injection defenses in the Search Personalization Model and Browsing Tool, using sandboxing and behavioral filters to stop tool-based exfiltration.
3. Layered defenses to block both direct and indirect prompt injections, mitigating stealthy infiltration routes.

All vulnerabilities have been remediated, but the Gemini Trifecta highlights the necessity for continuous visibility and rigorous policy enforcement for organizations adopting AI at scale.

Risk Factor Table

Attack Path	Risk Factor	Exploitation Prerequisites	Data Exposure Potential	Remediation Status
Search Personalization Model	HIGH	Victim visits attacker’s site; search history manipulated	User’s saved info, location	Fixed
Gemini Cloud Assist (Log Summarization)	HIGH	Malicious User-Agent injected; victim reviews logs	Credentials, cloud data	Fixed
Gemini Browsing Tool	HIGH	Attacker prompt triggers data exfiltration tool	Saved info, location	Fixed

• AI is not just a target, it is an attack vehicle. Security strategies must treat AI as a dynamic risk surface.
• Visibility and enforcement are critical for mitigating AI threats; all input and output channels must be strictly controlled.
• Even robust sandboxing defenses can be circumvented through prompt engineering and tool exploitation, as demonstrated in Gemini.

While Google’s rapid remediation closed these gaps, the lessons of the Gemini Trifecta should inform future security for all dynamic AI platforms.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates

The post Gemini Vulnerabilities in Google AI Platform Enable Data and Location Exfiltration appeared first on Cyber Security News.